"Google Unearths Internet Explorer Zero-Day Exploited by North Korean Hackers"

Google's Threat Analysis Group (TAG) discovered a zero-day exploit for an Internet Explorer (IE) vulnerability that was used to target South Korean users. TAG made the discovery in October 2022 and found malware in documents emailed to targets. The hidden malware in the documents took advantage of a vulnerability, tracked as CVE-2022-41128, in the browser's JScript engine. TAG attributed the attacks to North Korean government-backed actors known as APT37. APT37 has previously used IE zero-days to target users, with a preference for those based in South Korea, such as journalists, human rights activists, and North Korean defectors. The malware-infected document attempted to capitalize on public interest in a devastating accident that occurred in South Korea in October. Multiple South Korean submitters flagged the malware to Google's TAG by uploading the Microsoft Office document to VirusTotal, a Google-owned website that analyzes suspicious files, domains, or URLs. Researchers discovered that the document downloaded a Rich Text File (RTF) remote template before fetching HTML content. Since Microsoft Office renders HTML content with IE, this technique has been widely used to distribute IE exploits via Office files since 2017, according to TAG. Using this vector to deliver IE exploits does not require the target to use IE as its default browser or to chain the exploit with an EPM sandbox escape. The flaw stems from IE's JavaScript engine and can be exploited to execute arbitrary code when rendering an attacker-controlled website. The bug is caused by incorrect JIT optimization, which causes type confusion. TAG notified Microsoft of the vulnerability on October 31, 2022, and it was patched five days later, on November 8, 2022. This article continues to discuss the IE zero-day exploited by the North Korean threat actor APT37.

ITPro reports "Google Unearths Internet Explorer Zero-Day Exploited by North Korean Hackers"