Google unearths Internet Explorer zero day exploited by North Korean hackers

The Internet Explorer icon as seen on a smartphone in behind a screen with lines of code
(Image credit: Shutterstock)

Google's cyber security team has identified a zero-day exploit for an Internet Explorer vulnerability that was used to target users in South Korea.

The tech giant’s Threat Analysis Group (TAG) made the discovery in October 2022 and found malware embedded in documents that were emailed to targets. The hidden malware residing in the documents exploited a vulnerability in the browser's JScript engine, tracked as CVE-2022-41128.

TAG attributed the attacks to APT37, a known threat group that is has attributed to North Korean state-sponsored hackers. It said that APT37 has used Internet Explorer zero-days in the past to target users, and tends to focus on those based in South Korea including journalists, human rights activists, and North Korean defectors.

The malware-laden document was titled “221031 Seoul Yongsan Itaewon accident response situation (06:00).docx”, which Google said was attempting to take advantage of public interest in an accident, a Halloween crowd crush, that took place in South Korea in October.

Multiple submitters from South Korea flagged the malware to Google's TAG by uploading this Microsoft Office document to VirusTotal, a website Google owns that analyses suspicious files, domains, or URLs.

Researchers found that the document downloaded a rich text file (RTF) remote template which then went on to fetch HTML content.

“Because Office renders this HTML content using Internet Explorer (IE), this technique has been widely used to distribute IE exploits via Office files since 2017 (e.g. CVE-2017-0199),” said TAG. “Delivering IE exploits via this vector has the advantage of not requiring the target to use Internet Explorer as its default browser, nor to chain the exploit with an EPM sandbox escape.”

“The vulnerability resides within “jscript9.dll”, the JavaScript engine of Internet Explorer, and can be exploited to execute arbitrary code when rendering an attacker-controlled website,” said TAG. “The bug itself is an incorrect JIT optimisation issue leading to a type confusion and is very similar to CVE-2021-34480, which was identified by Project Zero and patched in 2021.”

TAG informed Microsoft of the vulnerability on 31 October 2022, and it was then assigned the CVE-2022-41128 tracking code. Five days later, on 8 November 2022, the vulnerability was patched.

RELATED RESOURCE

Enhancing cyber security in an expanding landscape

How secure connections between wireless peripherals can help mitigate cyber incidents and empower employees

FREE DOWNLOAD

Microsoft has fixed Internet Explorer bugs in the past that were previously exploited by North Korean hackers. The flaw, discovered in March 2021, was used to target security researchers through a memory corruption vulnerability which enabled hackers to run malware on a victim’s PC. It did this by encouraging them to access a malicious website.

In September 2021, Microsoft also had to issue another fix for a zero-day vulnerability embedded in the browser that powers legacy Internet Explorer. It was a remote code execution flaw embedded in the MSHTML browser engine which allowed hackers to create a malicious ActiveX control which was used by a Microsoft Office document hosting the engine. The attackers would then tempt victims into opening the document.

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.