IE Vulnerability Exploited by APT37 to Spread Malware

2 mins read

Internet Explorer JScript engine zero-day vulnerability exploited by the North Korean hacker group APT37.

156 people were killed due to a crowd crush during Halloween celebrations in Itaewon, Seoul. Soon after the incident, a Microsoft document named "221031 Seoul Yongsan Itaewon accident response situation (06:00).docx" was used by the North Korean hacker group APT37 to spread malware by attracting users by referring to the tragic incident.

Upon investigation by Google's Threat Analysis Group (TAG), a vulnerability (CVE-2022-41128) was discovered in the Internet Explorer JScript engine. According to the TAG, the vulnerability was reported to Microsoft on October 31, and the fixes were released on November 8.

The word document retrieved a remote template for a rich text file, requesting a remote HTML file. The attack did not require IE to be used as a default browser because it used a common technique used by Office to use IE for rendering the HTML information.