North Korean APT37 Hackers Exploited IE Zero-Day Vulnerability Remotely

Researchers from the Google Threat Analysis group uncovered an incident associated with the north Korean APT37 hackers group that they have exploited an Internet Explorer Zero-day vulnerability.

Threat actors attempted to exploit the vulnerability using a weaponized document that was used to target the victims from South Korea also this APT37 believed to be a state-sponsored hacker group operating under the North Korean government.

An Internet Explorer zero-day vulnerability (CVE-2022-41128) resides in the JScript engine and allows attackers to exploit the vulnerability by executing arbitrary code. Upon successful attempts, let actors take complete control of the browser while the user loads the malicious website controlled by the attackers.

“An Internet Explorer zero-day vulnerability that existing in the JScript engine that allowed attackers to exploit the vulnerability by executing the arbitrary code and take the complete control of browser when user load the malicious website that controlled by the attackers.” Google Threat Analysis Group reported.

IE 0-Day (CVE-2022-41128) Technical Analysis:

A multiple submission of malicious Microsoft office documents were being uploaded from South Korea in Virus total engine ” “221031 Seoul Yongsan Itaewon accident response situation (06:00).docx” that refers to the recent South Korean large Halloween incident that cause several life’s.

Upon the successfully click on the document download a rich text file (RTF) remote template trigger to fetched remote HTML content that gets render only via IE and the technique is widely used by the several hacking attempts by various hackers group.

“Delivering IE exploits via this vector has the advantage of not requiring the target to use Internet Explorer as its default browser, nor to chain the exploit with an EPM sandbox escape.”

The Zero-day Exploit

The malicious document has applied with the MotW (Mark-of-the-Web), a Windows feature designed to protect users against files from untrusted sources. Actors trick users disable the protected view before the remote RTF template gets fetched.

“When delivering the remote RTF, the web server sets a unique cookie in the response, which is sent again when the remote HTML content is requested. This likely detects direct HTML exploit code fetches which are not part of a real infection.”

Also, the Javascript exploit has checked that the cookie was set before launching the exploit and reporting to the command & control server twice while dropping the exploit and after the successful execution.

The Windows API has resolved by Shell code with the custom hash algorithm, and the interesting part is that the Shellcode Wiped all the exploitation traces in the browser and clear the caches before moving ahead to download the next stage.

As part of this same campaign, attackers launched several malicious documents that attempt to exploit the same vulnerability.

Unfortunately, Researchers didn’t recover the final payload and observed that this has connection with various implants such as implants like ROKRAT, BLUELIGHT, and DOLPHIN.

Indicators of compromise (IOCs)

Initial documents:

• 56ca24b57c4559f834c190d50b0fe89dd4a4040a078ca1f267d0bbc7849e9ed7
• af5fb99d3ff18bc625fb63f792ed7cd955171ab509c2f8e7c7ee44515e09cebf
• 926a947ea2b59d3e9a5a6875b4de2bd071b15260370f4da5e2a60ece3517a32f
• 3bff571823421c013e79cc10793f238f4252f7d7ac91f9ef41435af0a8c09a39
• c49b4d370ad0dcd1e28ee8f525ac8e3c12a34cfcf62ebb733ec74cca59b29f82

Remote RTF template:

• 08f93351d0d3905bee5b0c2b9215d448abb0d3cf49c0f8b666c46df4fcc007cb

Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book