During their regular threat hunting exercise, Google’s Threat Analysis Group (TAG) came across the North Korean APT37 threat actor exploiting the (CVE-2022-41128) vulnerability.
North Korean hackers are known for their comminatory practices that target victims in different parts of the world. In this instance, the threat actor targeted South Korean victims by exploiting a zero-day vulnerability in Microsoft Internet Explorer.
The exploit begins by sending malicious Microsoft Office documents to the victims; it adds another file on the victim’s device, which then connects the victim’s devices to a remote server — bringing down the HTML code on the users’ front end.
The (CVE-2022-41128) was reported on October 31 after several people uploaded the malicious documents on VirusTotal.
After analyzing the files uploaded by the users, the researchers claimed that the documents were using the recent Halloween incident in Seoul, South Korea as a clickbait for the users, enticing them to open the links and files embedded in them.
At the time of writing, the researchers reported the vulnerability to Microsoft, following which the company released a new security update for the users on November 8, 2022.
How does Apt37’s new campaign work?
In the initial stage of the attack, the threat actor persuades the victim to download certain Microsoft Office files, which in this case, is a rich text file (RTF) remote template. Once the user has downloaded the file, it automatically fetches some HTML content. Since Office can render HTML using Internet Explorer (IE) as default, the threat actor gets an opening to distribute IE exploits.
This method has been pretty famous since 2017, and several phishing campaigns and attacks are attributed to these tricks that create an emergency within the victim’s mind.
Once the exploit has been planted, the threat would not need another session to create more backdoors or openings using Internet Explorer, and nor does it require the user to set IE as the default browser, reads the Google report.
Upon further investigating the exploit, the researchers observed that the threat actors were actively exploiting the CVE-2022-41128 vulnerability in the JScript engine of Internet Explorer. This vulnerability could allow the threat actors to bypass the Internet Explorer default protection and create openings for malicious files and folders to be downloaded on the victim’s devices.