0-day vulnerability discovered
Google's Threat Analysis Group (TAG) regularly searches for 0-day vulnerabilities in software that are exploited in the wild. At the end of October 2022, the team led by Benoît Sevens and Clément Lecigne came across such a vulnerability in Microsoft's Internet Explorer. A North Korean government-backed group (APT37, also known as ScarCruft, InkySquid, Reaper, and Ricochet Chollim) used the vulnerability to attack users in South Korea via malicious code embedded in documents.
Vulnerability patched in November 2022
These malicious documents exploited a (still unpatched in Oct. 2022) 0-day vulnerability CVE-2022-41128 in Internet Explorer's JScript engine. Within hours of discovering this 0-day vulnerability, security researchers reported it to Microsoft. As of November 8, 2022, Microsoft then closed this vulnerability (see Microsoft Security Update Summary (November 8, 2022)). The affected Windows updates from the November 2022 patchday (see links at the end of the article) protect users from these attacks.
Google TAG published details
Now, as of December 7, 2022, the Google team has disclosed its discovery in the blog post Internet Explorer 0-day exploited by North Korean actor APT37.This 0-day vulnerability was noticed because several users from South Korea uploaded on October 31, 2022 a Microsoft Office document with the title "221031 Seoul Yongsan Itaewon accident response situation (06:00).docx" to VirusTotal. Meanwhile, many virus scanners detect the malicious code (see the figure).
The document refers to the tragic incident in the Itaewon area of Seoul, South Korea. Many people died there during Halloween celebrations on October 29, 2022. The incident led to many reports in the media and the decoy in the form of the Word document exploits the great public interest in this event.
The document downloaded a rich text file (RTF) template from the Internet, which in turn retrieves remote HTML content. Since Office renders this HTML content using Internet Explorer (IE), this technique has been widely used to spread IE exploits via Office files since 2017 (e.g., CVE-2017-0199). Spreading IE exploits via this vector has the advantage that the attacked target/victim does not need to use Internet Explorer as the default browser or chain the exploit with an EPM sandbox escape.
Upon examining the suspect file, security researchers at Google Threat Analysis Group (TAG) determined that the attackers exploited a 0-day vulnerability in Internet Explorer's JScript engine (jscript9.dll file). A flawed JIT optimization issue that results in type confusion can be exploited to execute arbitrary code when rendering an attacker-controlled website.
The details of the analysis and the Indicators of Compromise (IoCs) are described in Google's blog post. The Google TAG reported the vulnerability to Microsoft on October 31, 2022, and it was given the designation CVE-2022-41128 on November 3, 2022. The vulnerability was then patched in a timely manner on November 8, 2022. (via)
Microsoft Security Update Summary (November 8, 2022)
PPatchday: Windows 10-Updates (November 8, 2022)
Patchday: Windows 11/Server 2022-Updates (November 8, 2022)
Windows 7/Server 2008 R2; Windows 8.1/Server 2012 R2: Updates (November 8, 2022)
Cookies helps to fund this blog: Cookie settings