Internet Explorer remains a viable attack vector and a recurring one for APT37, a group of malicious actors backed by the North Korean government, according to a Google Threat Analysis Group blog post released Wednesday.
The group exploited a previously unknown zero-day vulnerability to attack individuals based in South Korea with malware embedded in a Microsoft Office document.
APT37, which has exploited previous Internet Explorer zero-day vulnerabilities, manipulated widespread interest in the response to the fatal crowd crush on Oct. 29 in Seoul by including keywords referencing the tragedy in the malicious document.
The deadly crush during Halloween celebrations in a narrow alley of Seoul’s Itaewon neighborhood resulted in 156 deaths. Most of the victims were in their teens and 20s.
Google’s Threat Analysis Group discovered the zero-day vulnerability on Oct. 31 when multiple individuals uploaded the malicious file to VirusTotal. Google notified Microsoft that same day and the vulnerability was labeled and tracked as CVE-2022-41128 on Nov. 3 with a CVSS score of 8.8.
Microsoft released a patch for the remote code execution vulnerability on Nov. 8. Microsoft declined to provide details about how many potential victims are at risk or the extent to which the vulnerability is being actively exploited in the wild.
The malicious document, which requires a user to disable protected view, downloads a rich text file remote template that fetches remote HTML content.
“Because Office renders this HTML content using Internet Explorer, this technique has been widely used to distribute Internet Explorer exploits via Office files since 2017,” Clement Lecigne and Benoit Sevens, security researchers at Google’s Threat Analysis Group, wrote in a blog post.
“Delivering Internet Explorer exploits via this vector has the advantage of not requiring the target to use Internet Explorer as its default browser, nor to chain the exploit with an EPM sandbox escape,” Lecigne and Sevens added.
Google’s Threat Analysis Group said it identified other malicious documents likely exploiting the same vulnerability with similar targeting, suggesting it could be part of the same campaign.
APT37 has been active for at least a decade, according to Mitre, and historically targets individuals in South Korea, North Korean defectors, policymakers, journalists and human rights activists.