Cybersecurity researchers from Google’s Threat Analysis Group (TAG) have discovered a zero-day vulnerability in the Internet Explorer (IE) browser being exploited by a well-known North Korean threat actor.
The file is titled “221031 Seoul Yongsan Itaewon accident response situation (06:00).docx”, which is a reference to the recent tragedy that took place in Itaewon, Seoul, during this year’s Halloween celebration, where at least 158 people lost their lives, with another 200 injured. Apparently, the attackers wanted to take advantage of the public and media attention the incident got.
Abusing old flaws
After analyzing the document being distributed, TAG found it downloading a rich text file (RTF) remote template to the target endpoint, which then grabs remote HTML content. Microsoft may have retired Internet Explorer and replaced it with Edge, but Office still renders HTML content using IE, which is a known fact threat actors have been abusing since at least 2017, TAG said.
Now that Office renders HTML content with IE, the attackers can abuse the zero-day they discovered in IE’s JScript engine.
Microsoft was tipped off on October 31 2022, with the flaw labeled CVE-2022-41128 three days later, and a patch being released on November 8.
While the process so far only compromises the device, TAG did not discover to what end. It did not find the final APT37’s payload for this campaign, it said, but added that the group was observed in the past delivering malware such as Rokrat, Bluelight, or Dolphin.
- These are the best firewalls around
Via: The Verge
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.