Tuesday, October 15, 2024
HomeCyber AttackNorth Korean APT37 Hackers Exploited IE Zero-Day Vulnerability Remotely

North Korean APT37 Hackers Exploited IE Zero-Day Vulnerability Remotely

Published on

Malware protection

Researchers from the Google Threat Analysis group uncovered an incident associated with the north Korean APT37 hackers group that they have exploited an Internet Explorer Zero-day vulnerability.

Threat actors attempted to exploit the vulnerability using a weaponized document that was used to target the victims from South Korea also this APT37 believed to be a state-sponsored hacker group operating under the North Korean government.

An Internet Explorer zero-day vulnerability (CVE-2022-41128) resides in the JScript engine and allows attackers to exploit the vulnerability by executing arbitrary code. Upon successful attempts, let actors take complete control of the browser while the user loads the malicious website controlled by the attackers.

- Advertisement - SIEM as a Service

“An Internet Explorer zero-day vulnerability that existing in the JScript engine that allowed attackers to exploit the vulnerability by executing the arbitrary code and take the complete control of browser when user load the malicious website that controlled by the attackers.” Google Threat Analysis Group reported.

IE 0-Day (CVE-2022-41128) Technical Analysis:

A multiple submission of malicious Microsoft office documents were being uploaded from South Korea in Virus total engine ” â€œ221031 Seoul Yongsan Itaewon accident response situation (06:00).docx” that refers to the recent South Korean large Halloween incident that cause several life’s.

Upon the successfully click on the document download a rich text file (RTF) remote template trigger to fetched remote HTML content that gets render only via IE and the technique is widely used by the several hacking attempts by various hackers group.

“Delivering IE exploits via this vector has the advantage of not requiring the target to use Internet Explorer as its default browser, nor to chain the exploit with an EPM sandbox escape.”

The Zero-day Exploit

The malicious document has applied with the MotW (Mark-of-the-Web), a Windows feature designed to protect users against files from untrusted sources. Actors trick users disable the protected view before the remote RTF template gets fetched.

“When delivering the remote RTF, the web server sets a unique cookie in the response, which is sent again when the remote HTML content is requested. This likely detects direct HTML exploit code fetches which are not part of a real infection.”

Also, the Javascript exploit has checked that the cookie was set before launching the exploit and reporting to the command & control server twice while dropping the exploit and after the successful execution.

The Windows API has resolved by Shell code with the custom hash algorithm, and the interesting part is that the Shellcode Wiped all the exploitation traces in the browser and clear the caches before moving ahead to download the next stage.

As part of this same campaign, attackers launched several malicious documents that attempt to exploit the same vulnerability.

Unfortunately, Researchers didn’t recover the final payload and observed that this has connection with various implants such as implants like ROKRATBLUELIGHT, and DOLPHIN.

Indicators of compromise (IOCs)

Initial documents:

  • 56ca24b57c4559f834c190d50b0fe89dd4a4040a078ca1f267d0bbc7849e9ed7
  • af5fb99d3ff18bc625fb63f792ed7cd955171ab509c2f8e7c7ee44515e09cebf
  • 926a947ea2b59d3e9a5a6875b4de2bd071b15260370f4da5e2a60ece3517a32f
  • 3bff571823421c013e79cc10793f238f4252f7d7ac91f9ef41435af0a8c09a39
  • c49b4d370ad0dcd1e28ee8f525ac8e3c12a34cfcf62ebb733ec74cca59b29f82

Remote RTF template:

  • 08f93351d0d3905bee5b0c2b9215d448abb0d3cf49c0f8b666c46df4fcc007cb

Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

OilRig Hackers Exploiting Microsoft Exchange Server To Steal Login Details

Earth Simnavaz, an Iranian state-sponsored cyber espionage group, has recently intensified its attacks on...

CoreWarrior Malware Attacking Windows Machines From Dozens Of IP Address

Researchers recently analyzed a CoreWarrior malware sample, which spreads aggressively by creating numerous copies...

TrickMo Malware Targets Android Devices to Steal Unlock Patterns and PINs

The recent discovery of the TrickMo Banking Trojan variant by Cleafy has prompted further...

pac4j Java Framework Vulnerable to RCE Attacks

A critical security vulnerability has been discovered in the popular Java framework pac4j. The...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

OilRig Hackers Exploiting Microsoft Exchange Server To Steal Login Details

Earth Simnavaz, an Iranian state-sponsored cyber espionage group, has recently intensified its attacks on...

CoreWarrior Malware Attacking Windows Machines From Dozens Of IP Address

Researchers recently analyzed a CoreWarrior malware sample, which spreads aggressively by creating numerous copies...

TrickMo Malware Targets Android Devices to Steal Unlock Patterns and PINs

The recent discovery of the TrickMo Banking Trojan variant by Cleafy has prompted further...