IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Google unearths Internet Explorer zero day exploited by North Korean hackers

The exploit was found after analysing malware embedded in documents targeting users in South Korea

Google's cyber security team has identified a zero-day exploit for an Internet Explorer vulnerability that was used to target users in South Korea.

The tech giant’s Threat Analysis Group (TAG) made the discovery in October 2022 and found malware embedded in documents that were emailed to targets. The hidden malware residing in the documents exploited a vulnerability in the browser's JScript engine, tracked as CVE-2022-41128. 

TAG attributed the attacks to APT37, a known threat group that is has attributed to North Korean state-sponsored hackers. It said that APT37 has used Internet Explorer zero-days in the past to target users, and tends to focus on those based in South Korea including journalists, human rights activists, and North Korean defectors. 

The malware-laden document was titled “221031 Seoul Yongsan Itaewon accident response situation (06:00).docx”, which Google said was attempting to take advantage of public interest in an accident, a Halloween crowd crush, that took place in South Korea in October.

Multiple submitters from South Korea flagged the malware to Google's TAG by uploading this Microsoft Office document to VirusTotal, a website Google owns that analyses suspicious files, domains, or URLs.

Researchers found that the document downloaded a rich text file (RTF) remote template which then went on to fetch HTML content.

“Because Office renders this HTML content using Internet Explorer (IE), this technique has been widely used to distribute IE exploits via Office files since 2017 (e.g. CVE-2017-0199),” said TAG. “Delivering IE exploits via this vector has the advantage of not requiring the target to use Internet Explorer as its default browser, nor to chain the exploit with an EPM sandbox escape.”

“The vulnerability resides within “jscript9.dll”, the JavaScript engine of Internet Explorer, and can be exploited to execute arbitrary code when rendering an attacker-controlled website,” said TAG. “The bug itself is an incorrect JIT optimisation issue leading to a type confusion and is very similar to CVE-2021-34480, which was identified by Project Zero and patched in 2021.”

TAG informed Microsoft of the vulnerability on 31 October 2022, and it was then assigned the CVE-2022-41128 tracking code. Five days later, on 8 November 2022, the vulnerability was patched.

Related Resource

Enhancing cyber security in an expanding landscape

How secure connections between wireless peripherals can help mitigate cyber incidents and empower employees

Whitepaper cover with image of a hybrid work spaceFree Download

Microsoft has fixed Internet Explorer bugs in the past that were previously exploited by North Korean hackers. The flaw, discovered in March 2021, was used to target security researchers through a memory corruption vulnerability which enabled hackers to run malware on a victim’s PC. It did this by encouraging them to access a malicious website.

In September 2021, Microsoft also had to issue another fix for a zero-day vulnerability embedded in the browser that powers legacy Internet Explorer. It was a remote code execution flaw embedded in the MSHTML browser engine which allowed hackers to create a malicious ActiveX control which was used by a Microsoft Office document hosting the engine. The attackers would then tempt victims into opening the document.

Featured Resources

What 2023 will mean for the industry

What do most IT decision makers really think will be the important trends and challenges in the coming year?

Free Download

2022 Magic quadrant for Security Information and Event Management (SIEM)

SIEM is evolving into a security platform with multiple features and deployment models

Free Download

IDC MarketScape: Worldwide unified endpoint management services

2022 vendor assessment

Free Download

Magic quadrant for application performance monitoring and observability

Enabling continuous updating of diverse & dynamic application environments

View Now

Recommended

Suncorp signs three-year Azure deal to complete multi-cloud migration by 2024
public cloud

Suncorp signs three-year Azure deal to complete multi-cloud migration by 2024

24 Jan 2023
Japanese telco NTT to invest $3.5 billion in Indian data centres
data centres

Japanese telco NTT to invest $3.5 billion in Indian data centres

23 Jan 2023
Google to cut global workforce by 12,000 roles
Careers & training

Google to cut global workforce by 12,000 roles

20 Jan 2023
Bharti Airtel continues data centre "expansion spree" with £200m Hyderabad investment
data centres

Bharti Airtel continues data centre "expansion spree" with £200m Hyderabad investment

19 Jan 2023

Most Popular

Dutch hacker steals data from virtually entire population of Austria
data breaches

Dutch hacker steals data from virtually entire population of Austria

26 Jan 2023
GTA V vulnerability exposes PC users to partial remote code execution attacks
vulnerability

GTA V vulnerability exposes PC users to partial remote code execution attacks

23 Jan 2023
European partners expect growth this year, here are three ways they will achieve it
Sponsored

European partners expect growth this year, here are three ways they will achieve it

17 Jan 2023