Google unearths Internet Explorer zero-day exploited by North Korean hackers

The Internet Explorer zero-day vulnerability that was being exploited to target users in South Korea has been found by Google's Threat Analysis Group (TAG). This was after multiple users submitted the malware-laden document that was used to target them to Virus Total, a website for analysing suspicious files owned by Google.

TAG believes that APT37, a cybersecurity gang with links to the North Korean government was responsible for the attacks. This won’t be the first time that the group has exploited zero-day vulnerabilities in Internet Explorer to target users in South Korea. Their main targets are usually journalists, human rights activists, and North Korean Defectors.

In this latest scheme, the gang was taking advantage of an accident that happened in Itaewon where a crowd crush during Halloween resulted in hundreds of deaths and multiple injuries.

The hackers sent a word document named that seemed to be coming from South Korea’s Ministry of Interior and Safety but actually contained hidden malware.

Once downloaded the document attempted to deploy malware and gain unauthorised access to the victim’s device by leveraging a zero-day vulnerability in Internet Explorer’s JScript engine.

The malware works by downloading a rich text file (RTF) remote template which then goes on to fetch HTML content.

“Because Office renders this HTML content using Internet Explorer (IE), this technique has been widely used to distribute IE exploits via Office files since 2017. Delivering IE exploits via this vector has the advantage of not requiring the target to use Internet Explorer as its default browser, nor to chain the exploit with an EPM sandbox escape,” Google’s TAG said in a statement.

The vulnerability was flagged by the cybersecurity team in October 20222 and labelled CVE-2022-41128.

The team has already notified Microsoft of the bug and it has been fixed.

Other IE vulnerabilities that have been exploited by the North Korean hackers include a memory corruption vulnerability in March 2021 and a remote code execution bug in the browser engine that powers legacy Internet Explorer.

The vulnerabilities have all been patched.