North Korean hackers as soon as once more exploit Web Explorer’s leftover bits

Internet Explorer logo embedded in North Korean flag
Enlarge / APT37, a bunch believed to be backed by the North Korean authorities, has discovered success exploiting the bits of Web Explorer nonetheless current in varied Home windows-based apps.

Aurich Lawson | Getty Pictures

Microsoft’s Edge browser has changed Web Explorer in virtually each regard, however some exceptions stay. A type of, deep inside Microsoft Phrase, was exploited by a North-Korean-backed group this fall, Google safety researchers declare.

It is not the primary time the government-backed APT37 has utilized Web Explorer’s lingering presence, as Google’s Menace Evaluation Group (TAG) notes in a weblog put up. APT37 has had repeated success concentrating on South Korean journalists and activists, plus North Korean defectors, by a restricted however nonetheless profitable Web Explorer pathway.

The final exploit focused these heading to Day by day NK, a South Korean website devoted to North Korean information. This one concerned the Halloween crowd crush in Itaewon, which killed no less than 151 individuals. A Microsoft Phrase .docx doc, named as if it had been timed and dated lower than two days after the incident and labeled “accident response scenario,” began circulating. South Korean customers started submitting the doc to the Google-owned VirusTotal, the place it was flagged with CVE-2017-0199, a long-known vulnerability in Phrase and WordPad.

The document in question purports to be related to a deadly crowd panic in late October in Itaewon, South Korea.
Enlarge / The doc in query purports to be associated to a lethal crowd panic in late October in Itaewon, South Korea.

Simply as in April 2017, the doc, for those who click on to permit Phrase/WordPad to view it outdoors the no-download “Protected View,” downloads a wealthy textual content template from an attacker-controlled server, then grabs extra HTML that appears like Wealthy Textual content Format templates. Workplace and WordPad intrinsically use Web Explorer to render HTML in what Microsoft describes as “specifically crafted recordsdata,” giving attackers a solution to then usher in varied malware payloads. Whereas patched that very same month, the vulnerability endured; it was one of many vectors exploited in a Petya wave greater than a yr later.

The particular vulnerability has to do with Web Explorer’s JavaScript engine. An error throughout just-in-time optimization results in an information sort confusion and reminiscence writing. This specific exploit additionally cleaned up after itself, clearing the Web Explorer cache and historical past of its presence. Whereas Google’s TAG would not know what payloads had been delivered, APT37 has beforehand circulated exploits that triggered BLUELIGHT, ROKRAT, and DOLPHIN, all specializing in North Korean political and financial pursuits. (North Korean hackers aren’t averse to a Chrome exploit, although.)

Microsoft patched the particular exploit in its JScript engine, however this being the fifth yr of remote-code Phrase doc assaults, it looks like they will be round for some time longer. And North Korean actors will likely be desperate to act on them.

Latest articles

Related articles

Leave a reply

Please enter your comment!
Please enter your name here