A North Korean threat actor known for targeting victims in South Korea has been caught using an exploit for a zero day vulnerability in Internet Explorer by delivering malicious Microsoft Office documents.
Researchers with Google’s Threat Analysis Group discovered the vulnerability (CVE-2022-41128) on Oct. 31 after several people uploaded the malicious Office documents to VirusTotal. After analyzing the documents, the TAG researchers found that the documents download another file that then contacts a remote server to bring down some HTML code. The malicious documents used the Halloween incident in Seoul as a lure to entice victims to open them.
TAG reported the vulnerability to Microsoft, which released a fix for it on Nov. 8.
“The document downloaded a rich text file (RTF) remote template, which in turn fetched remote HTML content. Because Office renders this HTML content using Internet Explorer (IE), this technique has been widely used to distribute IE exploits via Office files since 2017 (e.g. CVE-2017-0199). Delivering IE exploits via this vector has the advantage of not requiring the target to use Internet Explorer as its default browser, nor to chain the exploit with an EPM sandbox escape,” a post by TAG researchers Clement Lecigne and Benoit Sevens says.
“Upon investigation, TAG observed the attackers abused an 0-day vulnerability in the JScript engine of Internet Explorer.”
The exploit that the attackers used is designed to bypass the protection that Internet Explorer has for opening potentially dangerous content downloaded from the internet.
“When delivering the remote RTF, the web server sets a unique cookie in the response, which is sent again when the remote HTML content is requested. This likely detects direct HTML exploit code fetches which are not part of a real infection,” the researchers said.
APT37 is also known as Reaper and the group is mainly known for conducting cyber espionage campaigns directly aligned with the North Korean government’s interests. The group has used zero days in operations in the past, including CVE-2020-1380, which the group used last year.