8 December 2022

North Korean hackers exploited IE zero-day to deploy malware


North Korean hackers exploited IE zero-day to deploy malware

A North Korean state-backed threat actor known as APT37 has exploited a zero-day vulnerability in the Internet Explorer browser to infect targets in South Korea with malware.

The said flaw (CVE-2022-41128) is a buffer overflow issue within the JScript9 engine in IE. A remote attacker can trick the victim into visiting a malicious website, trigger memory corruption and execute arbitrary code on the target system.

The vulnerability came to light in late October 2022, when Google’s Threat Analysis Group (TAG) noticed that multiple South Korean users began uploading a malicious Microsoft Office document to VirusTotal.

The document referenced the tragic incident in the neighborhood of Itaewon, in Seoul, South Korea during Halloween celebrations on October 29, 2022, when more than a hundred people were killed. Upon investigation, TAG observed the attackers abused a zero-day vulnerability in the JScript engine of Internet Explorer. The team notified Microsoft about the vulnerability and it was fixed as part of the November 2022 Patch Tuesday release.

The researchers said they weren’t able to identify the final payload the attackers delivered in this campaign, but noted that previously APT37 was observed deploying a variety of malware families like Rokrat, BlueLight, and Dolphin on the infected systems.

Back to the list

Latest Posts

Russia-linked Nodaria APT adds new Graphiron infostealer to its toolkit

Russia-linked Nodaria APT adds new Graphiron infostealer to its toolkit

The new infostealer was observed in attacks targeting Ukrainian organizations.
8 February 2023
CISA releases tool to recover encrypted VMware ESXi servers

CISA releases tool to recover encrypted VMware ESXi servers

According to CISA’s list of bitcoin addresses, over 2,800 ESXi servers have been encrypted to date.
8 February 2023
Threat actors target Ukrainian government agencies with Remcos spyware

Threat actors target Ukrainian government agencies with Remcos spyware

The attack involves a phishing email ostensibly sent by Ukrtelecom, a major Ukrainian internet service provider.
8 February 2023