Microsoft is investigating a report that a zero day vulnerability in Internet Explorer is in use by attackers and was used as part of a recently disclosed campaign by North Korean attackers that targeted security researchers.
Enki, a Korean security consultancy, published information about the vulnerability on Thursday but did not specify which versions of IE were affected and did not publish the proof-of-concept exploit code because the bug is still unpatched. The researchers said they discovered the vulnerability when the attackers sent them an MHTML file, ostensibly for help porting Chrome exploit code to macOS. However, the file includes code that actually exploits a previously unknown flaw in IE.
“Some of the contents of the file can be checked in Chrome, but it is designed to enable the JavaScript function and read the contents of the article completely when the button action is activated. This is presumed to have led the target to use the Internet Explorer browser,” a translation of the Enki advisory says.
“If script execution is allowed, the additional payload is downloaded twice from the remote site (codevexillium[.]org), and the secondary payload contains the attack code that attacks the vulnerability of the Internet Explorer browser.”
Microsoft officials said the company was aware of the report, which was initially sent in through an incorrect channel.
“Microsoft has a customer commitment to investigate reported security issues and we will provide updates for impacted devices as soon as possible,” a Microsoft spokesman said.
“The shellcode transmits a list of processes running on the infected system, screen captures, and network interface information to C2."
Last week, Microsoft and Google released details of a long-running attack campaign that targeted a number of security researchers using a variety of methods, including a network of attacker-controlled social media accounts, a research blog to add credibility, and requests to collaborate on research projects. The campaign has been attributed to the Lazarus group, which Microsoft tracks as Zinc, a team well-known for high-level attacks in the past.
“After building their reputation across their established social media accounts, the actors started approaching potential targets on social media platforms such as Twitter and LinkedIn. The conversations were often seemingly innocuous, asking security questions or talking about exploit techniques. If the researcher was responsive, the actor would offer to move communication to another platform (e.g., email, Discord) in some cases to then send files using encrypted or PGP protected ZIPs,” Microsoft’s Threat Intelligence Team said in a report on the campaign on Jan. 28.
In that post, the MTIC team mentions the same technique that the Enki researchers describe, sending a malicious MHTML to targets. But at the time of their analysis the C2 site was offline so the researchers were not able to collect the payload and there is no mention of an IE vulnerability being used in the attack.
Enki’s researchers said that after exploitation, the attackers’ code collects and sends a variety of data to the C2 server.
“The shellcode transmits a list of processes running on the infected system, screen captures, and network interface information to C2 to collect basic information of the infected target, and then downloads and executes additional malicious code encrypted from the C2 server to memory,” the Enki researchers said.
It’s not clear how widespread the use of the IE vulnerability exploit has been, but the campaign targeting researchers was relatively contained to begin with.