Researchers from the Google Threat Analysis research organization discovered an incident associated with the APT37 hackers’ group that has been exploiting an official Internet Explorer zero-day vulnerability.
Threat actors attempted to exploit the vulnerability using a weaponized document that was used to target the victims from South Korea also this APT37 believed to be a state-sponsored hacker group operating under the North Korean government.
An Internet Explorer zero-day flaw (CVE-2022-41128) lies in the JScript engine and allows attackers to exploit the vulnerability by performing arbitrary code. When successful, the hackers are capable of taking complete control over the browser while the user loads the malicious website controlled by the cybercriminals.
An Internet Explorer zero-day vulnerability that existing in the JScript engine that allowed attackers to exploit the vulnerability by executing the arbitrary code and take total control of browser when user load the malicious site that controlled by the attackers. The Threat Analysis Group reported.
A string of malicious Microsoft Office documents were submitted from South Korea to the Virus Total broguard engine 221031 Seoul Yonsan Itaewon collision response situation (06:00).docx that has related to the recent large Halloween incident in South Korea that caused several casualties.
Upon clicking the remote template, an interface trigger for a remote HTML file is triggered, which can only be reached from the IE browser. It is used widely by several hacking attempts.
Delivering exploits via this vector has the advantage of not requiring the target to use Internet Explorer as the default browser, nor to string the plot through an EPM sandbox escape.
The malicious file has been utilized with the MotW (Mark-of-the-Web) on Windows, a user interface mode designed to protect users by eliminating the infection of files from untrustworthy sources. Unsafe actors deceive victims in the art of disabling the protected view of the RTF template before said template is accessed remotely.
When asked to provide the remote RTF, HTTP servers set a unique cookie in responses. This cookie is routinely accessed when providing a certain modern web. It probably identifies passages from browsers that incorporate direct HTML exploit code, which are not connected with any malware encounters.
In addition, the Javascript exploit has verified that the cookie was set prior to its launch before the exploit and reporting to the command & control server twice while it dropped and then upon the successful completion of the execution.
Windows API’s standard hash algorithm has been by Custom Shellcode with obfuscating all the exploit traces in the software’s runtime environment, so and used already by the next stage.
In regard to this particular campaign, attackers created several malicious documents aimed at exploiting the same exploit.
Unfortunately, researchers did not recover the final payload and discovered that this had connection to the different implants like ROKRAT, BLUELIGHT, and DOLPHIN.
Found this article interesting? Follow Terraeagle on Facebook, Twitter and LinkedIn to read more exclusive content we post.