Microsoft patched flaw after Google TAG researchers reported it to the company in October.
Microsoft has patched a zero-day vulnerability in Internet Explorer’s Jscript engine after researchers from Google’s Threat Analysis Group (TAG) informed the company about seeing North Korea’s APT37 group using it in attacks against South Korean targets.
The zero-day flaw (CVE-2022-41128) stems from what Google described as an incorrect just-in-time (JIT) complier optimization issue resulting in type confusion. To exploit it, an attacker would need to lure a victim to an adversary-controlled website via a phishing email or some other social engineering trick.
According to Google, the flaw is nearly identical to another scripting engine memory corruption vulnerability (CVE-2021-34480) they reported to Microsoft last year. As with the new vulnerability, to exploit the one from 2021 an attacker would first need to convince a user to either open a specially crafted file or follow-links to an attacker-controlled website. This is the 11th Microsoft-related zero-day bug that Project Zero has disclosed so far in 2022.
The APT37 campaign that Google observed involves the threat actors sending intended victims a phishing email with a document purporting to be about the deadly October 29 stampede in Seoul’s Itaewon commercial district that killed 156 people.
When opened, the document downloads a rich text file (RTF) remote template that in turn fetches remote HTML content. “Because Office renders this HTML content using Internet Explorer (IE), this technique has been widely used to distribute IE exploits via Office files since 2017,” Google TAG researchers Clement Lecigne and Benoit Sevens said in a Dec. 7 blog. The advantage for attackers to deliver IE exploits this way is that it does not require victims to use Internet Explorer as their default web browser, they noted.
Google researchers discovered that the exploit which APT37 is delivering via this technique takes advantage of what turned out to be the zero-day flaw that it reported to Microsoft in October.
APT37’s zero-day payload in current campaign remains unclear
It’s unclear what payload exactly APT37 is delivering via the newly discovered vulnerability. But in previous campaigns, the group has exploited similar IE vulnerabilities and other flaws to deliver backdoors such as ROKRAT, DOLPHI and BLUELIGHT. “APT37 implants typically abuse legitimate cloud services as a C2 channel and offer capabilities typical of most backdoors,” Google said.
APT37, also tracked as Chollima, InkySquid, Reaper and other names, is a threat actor believed sponsored by the North Korean government. The threat actor is known to use a variety of techniques in its campaigns including strategic compromises of South Korean websites to distribute malware and using torrent file-sharing suites to mass-distribute malware.
CVE-2022-41128 is the first and only Internet Explorer zero-day vulnerability that Google’s Project Zero researchers have reported as seeing in the wild so far in 2022. Last year, the team reported four IE zero-days and in 2020 they reported two. So far in 2020, Project Zero has reported 32 in-the-wild zero-day vulnerabilities across multiple technologies. Unsurprisingly, most of them were in Windows products.