Google Warns of North Korea Hacking Group Exploiting Zero-Day Flaw for Internet Explorer

Colin Thierry Colin Thierry

Google’s Threat Analysis Group (TAG) announced on Wednesday technical details of a zero-day vulnerability used by a North Korean Advanced Persistent Threat (APT) group.

This flaw was discovered in late October, and is a Windows Scripting Languages Remote Code Execution (RCE) vulnerability tracked as CVE-2022-41128. The zero-day flaw allows threat actors to exploit an Internet Explorer JScript engine fault through malicious code embedded in Microsoft Office documents.

Microsoft first addressed the vulnerability in its patch rollout last month. It impacts Windows 7 through 11 and Windows Server 2008 through 2022.

According to Google’s TAG, North Korean government-backed actors first weaponized the vulnerability in order to use it against South Korean users. The threat actors then injected the malicious code into Microsoft Office documents, using a reference to a tragic incident in Seoul, South Korea, to lure their victims.

Additionally, researchers discovered documents with “similar targeting,” that were likely used to exploit the same vulnerability.

“The document downloaded a rich text file (RTF) remote template, which in turn fetched remote HTML content,” said Google’s TAG in its security advisory. “Because Office renders this HTML content using Internet Explorer (IE), this technique has been widely used to distribute IE exploits via Office files since 2017 (e.g. CVE-2017-0199). Delivering IE exploits via this vector has the advantage of not requiring the target to use Internet Explorer as its default browser, nor to chain the exploit with an EPM sandbox escape.”

In most cases, an infected document would include the Mark-of-the-Web security feature. Thus, users must manually disable the document’s protected view in order for an attack to succeed, so the code can retrieve the remote RTF template.

Although Google TAG didn’t end up recovering a final payload for the malicious campaign attributed to this APT group, security experts noticed similar implants used by the threat actors, including BLUELIGHT, DOLPHIN, and ROKRAT.

About the Author

About the Author

Colin Thierry is a former cybersecurity researcher and journalist for SafetyDetectives who has written a wide variety of content for the web over the past 2 years. In his free time, he enjoys spending time outdoors, traveling, watching sports, and playing video games.