HQ/EMEAFind out how we can help your business
The Google TAG team disclosed earlier this week that the APT37 group from North Korea is still exploiting a previously unknown Internet Explorer zero-day vulnerability to attack South Korean entities.
Google’s Threat Analysis group was notified by researchers regarding the recent attack a couple of months ago when South Korean analysts uploaded a malicious MS Office document called “221031 Seoul Yongsan Itaewon accident response situation (06:00).docx.”
If a target opens the document, it will spread an unidentified payload after downloading a rich text file (RTF) remote template that will activate a remote HTML via Internet Explorer. Subsequently, suppose a target loads the HTML content. In that case, it will deliver the exploit that could allow an attacker to abuse the Internet Explorer vulnerability even if the target was not using it as a default search engine.
The zero-day flaw, tracked by researchers as CVE-2022-41128, is a weakness in the JS engine of Internet Explorer that enables threat actors who successfully abuse it to run arbitrary code when rendering a compromised crafted website.
Fortunately, Microsoft fixed it during last month’s update and five days after classifying it as a CVE ID from the report of Google TAG.
The research team said that the APT37 group has no malware deployed to its victim’s devices.
The Google TAG team could not analyse the final malicious payload disseminated by the APT37 group on their South Korean targets’ devices. However, these actors are notorious for launching a wide range of malware in their campaigns.
Google explained that their group did not retrieve the final for the attack. Still, they have already observed an identical campaign from the group, which delivers several malware stains such as DOLPHIN, BLUELIGHT, AND ROKRAT.
In addition, the North Korean hacker’s implants commonly exploit cloud services as a command-and-control server with abilities that are common for backdoors.
APT37 has been active for over a decade and was previously linked by researchers to another North Korean-sponsored attack called FireEye.
Cybersecurity experts stated that this group is known for attacking individuals and entities favourable to the Democratic People’s Republic of Korea. Therefore, human rights activists, dissidents, journalists, diplomats, and government employees are the most attacked entities of this group.
