Microsoft’s Edge browser has changed Web Explorer in nearly each respect, however some exceptions stay. Certainly one of them, inside Microsoft Phrase, was exploited by a North Korean-backed group on this case, Google safety researchers say.
This is not the primary time the government-backed APT37 has used Web Explorer’s persistent presence, as Google’s Risk Evaluation Group (TAG) notes in a weblog put up. APT37 has had repeated successes focusing on South Korean journalists and activists , in addition to North Korean defectors, by way of a restricted however nonetheless efficient Web Explorer path.
The newest exploit focused those that made their approach to Each day NK, a South Korean web site dedicated to North Korean information. This concerned the crush of the Halloween crowd in Itaewon, which killed no less than 151 folks. A Microsoft Phrase .docx doc started circulating, named as if timed and dated lower than two days after the incident and labeled “incident response scenario.” South Korean customers started submitting the doc to Google-owned VirusTotal, the place it was tagged with CVE-2017-0199, a long-known vulnerability in Phrase and WordPad.
Similar to in April 2017, the doc, in case you click on to permit Phrase/WordPad to view it exterior of “Protected View” with out obtain, downloads a RTF template from a maliciously managed server, then grabs extra HTML much like Wealthy Textual content Format Template. Workplace and WordPad inherently use Web Explorer to render HTML in what Microsoft describes as “specifically crafted information,” giving attackers a approach to introduce varied malware payloads. Regardless of being patched later that month, the vulnerability persevered; she was one of many carriers exploited in a wave of Petya greater than a yr later.
Microsoft patched the particular exploit in its JScript engine, however this being the fifth yr of distant code Phrase doc assaults, it seems to be like they will be round for some time but. And North Korean actors can be wanting to play them.