North Korean Hackers Look to Internet Explorer Zero DaysGoogle TAG Attributes Exploits to State-Sponsored APT37, aka Reaper
Google's Threat Analysis Group says it spotted the exploit in October after multiple individuals from South Korea uploaded to VirusTotal a copy of the malicious Word file. The document purported to be an update on the Halloween crowd crush that killed more than 150 in the Itaewon neighborhood of Seoul.
APT37, also known as Reaper, primarily targets South Korea, the country with which the totalitarian regime in Pyongyang has maintained a tense seven-decade armistice. Cybersecurity firm Mandiant has written that APT37, which appears to have been active since at least 2012, focuses on targeting the public and private sectors alike for espionage campaigns.
Microsoft issued a patch for the zero-day in early November.
jscript9.dll - the application Office uses to render HTML content. Google characterizes the flaw as an incorrect just-in-time compilation that leads to variable type confusion. It is similar to another vulnerability, CVE-2021-34480, which Google researchers identified in 2021.
This North Korean threat group has exploited Internet Explorer zero-days before, Google says. Exploiting Internet Explorer through the Office channel has its advantages since it doesn't depend on users selecting the browser as the default. Nor does it require chaining the exploit with another to break free of Internet Explorer's Enhanced Protected Mode sandbox, writes Google.
The malicious document downloaded a rich text file template that in turn fetched remote HTML content - but only if users disabled Office's Protected View setting. Google researchers ultimately did not recover the final payload of the campaign, but APT37 in the past had delivered a variety of implants that "abuse legitimate cloud services as a C2 channel and offer capabilities typical of most backdoors."
The Cybersecurity and Infrastructure Security Agency added the IE zero-day to its catalog of known exploited vulnerabilities in November and ordered federal civilian agencies to patch the bug by Dec. 9.