Friday, June 21, 2024

North Korean APT37 Hackers Exploited IE Zero-Day Vulnerability Remotely

Researchers from the Google Threat Analysis group uncovered an incident associated with the north Korean APT37 hackers group that they have exploited an Internet Explorer Zero-day vulnerability.

Threat actors attempted to exploit the vulnerability using a weaponized document that was used to target the victims from South Korea also this APT37 believed to be a state-sponsored hacker group operating under the North Korean government.

An Internet Explorer zero-day vulnerability (CVE-2022-41128) resides in the JScript engine and allows attackers to exploit the vulnerability by executing arbitrary code. Upon successful attempts, let actors take complete control of the browser while the user loads the malicious website controlled by the attackers.

“An Internet Explorer zero-day vulnerability that existing in the JScript engine that allowed attackers to exploit the vulnerability by executing the arbitrary code and take the complete control of browser when user load the malicious website that controlled by the attackers.” Google Threat Analysis Group reported.

IE 0-Day (CVE-2022-41128) Technical Analysis:

A multiple submission of malicious Microsoft office documents were being uploaded from South Korea in Virus total engine ” “221031 Seoul Yongsan Itaewon accident response situation (06:00).docx” that refers to the recent South Korean large Halloween incident that cause several life’s.

Upon the successfully click on the document download a rich text file (RTF) remote template trigger to fetched remote HTML content that gets render only via IE and the technique is widely used by the several hacking attempts by various hackers group.

“Delivering IE exploits via this vector has the advantage of not requiring the target to use Internet Explorer as its default browser, nor to chain the exploit with an EPM sandbox escape.”

The Zero-day Exploit

The malicious document has applied with the MotW (Mark-of-the-Web), a Windows feature designed to protect users against files from untrusted sources. Actors trick users disable the protected view before the remote RTF template gets fetched.

“When delivering the remote RTF, the web server sets a unique cookie in the response, which is sent again when the remote HTML content is requested. This likely detects direct HTML exploit code fetches which are not part of a real infection.”

Also, the Javascript exploit has checked that the cookie was set before launching the exploit and reporting to the command & control server twice while dropping the exploit and after the successful execution.

The Windows API has resolved by Shell code with the custom hash algorithm, and the interesting part is that the Shellcode Wiped all the exploitation traces in the browser and clear the caches before moving ahead to download the next stage.

As part of this same campaign, attackers launched several malicious documents that attempt to exploit the same vulnerability.

Unfortunately, Researchers didn’t recover the final payload and observed that this has connection with various implants such as implants like ROKRATBLUELIGHT, and DOLPHIN.

Indicators of compromise (IOCs)

Initial documents:

  • 56ca24b57c4559f834c190d50b0fe89dd4a4040a078ca1f267d0bbc7849e9ed7
  • af5fb99d3ff18bc625fb63f792ed7cd955171ab509c2f8e7c7ee44515e09cebf
  • 926a947ea2b59d3e9a5a6875b4de2bd071b15260370f4da5e2a60ece3517a32f
  • 3bff571823421c013e79cc10793f238f4252f7d7ac91f9ef41435af0a8c09a39
  • c49b4d370ad0dcd1e28ee8f525ac8e3c12a34cfcf62ebb733ec74cca59b29f82

Remote RTF template:

  • 08f93351d0d3905bee5b0c2b9215d448abb0d3cf49c0f8b666c46df4fcc007cb

Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book


Latest articles

PrestaShop Website Under Injection Attack Via Facebook Module

A critical vulnerability has been discovered in the "Facebook" module (pkfacebook) from for...

Beware Of Illegal OTT Platforms That Exposes Sensitive Personal Information

A recent rise in data breaches from illegal Chinese OTT platforms exposes that user...

Beware Of Zergeca Botnet with Advanced Scanning & Persistence Features

A new botnet named Zergeca has emerged, showcasing advanced capabilities that set it apart...

Mailcow Mail Server Vulnerability Let Attackers Execute Remote Code

Two critical vulnerabilities (CVE-2024-31204 and CVE-2024-30270) affecting Mailcow versions before 2024-04 allow attackers to...

Hackers Attacking Vaults, Buckets, And Secrets To Steal Data

Hackers target vaults, buckets, and secrets to access some of the most classified and...

Hackers Weaponizing Windows Shortcut Files for Phishing

LNK files, a shortcut file type in Windows OS, provide easy access to programs,...

New Highly Evasive SquidLoader Attacking Employees Mimic As Word Document

Researchers discovered a new malware loader named SquidLoader targeting Chinese organizations, which arrives as...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles