North Korean hackers as soon as once more exploit leftover bits of Web Explorer

Internet Explorer logo embedded in the North Korean flag
Zoom in / APT37, a bunch believed to be backed by the North Korean authorities, has had success exploiting bits of Web Explorer nonetheless current in varied Home windows-based apps.

Aurich Lawson | Getty Photos

Microsoft’s Edge browser has changed Web Explorer in nearly each respect, however some exceptions stay. Certainly one of them, inside Microsoft Phrase, was exploited by a North Korean-backed group on this case, Google safety researchers say.

This is not the primary time the government-backed APT37 has used Web Explorer’s persistent presence, as Google’s Risk Evaluation Group (TAG) notes in a weblog put up. APT37 has had repeated successes focusing on South Korean journalists and activists , in addition to North Korean defectors, by way of a restricted however nonetheless efficient Web Explorer path.

The newest exploit focused those that made their approach to Each day NK, a South Korean web site dedicated to North Korean information. This concerned the crush of the Halloween crowd in Itaewon, which killed no less than 151 folks. A Microsoft Phrase .docx doc started circulating, named as if timed and dated lower than two days after the incident and labeled “incident response scenario.” South Korean customers started submitting the doc to Google-owned VirusTotal, the place it was tagged with CVE-2017-0199, a long-known vulnerability in Phrase and WordPad.

The document in question purports to be linked to a deadly mob panic in late October in Itaewon, South Korea.
Zoom in / The doc in query purports to be linked to a lethal mob panic in late October in Itaewon, South Korea.

Similar to in April 2017, the doc, in case you click on to permit Phrase/WordPad to view it exterior of “Protected View” with out obtain, downloads a RTF template from a maliciously managed server, then grabs extra HTML much like Wealthy Textual content Format Template. Workplace and WordPad inherently use Web Explorer to render HTML in what Microsoft describes as “specifically crafted information,” giving attackers a approach to introduce varied malware payloads. Regardless of being patched later that month, the vulnerability persevered; she was one of many carriers exploited in a wave of Petya greater than a yr later.

The particular vulnerability should goal the Web Explorer JavaScript engine. An error throughout just-in-time optimization leads to a knowledge sort confusion and write to reminiscence. This specific exploit additionally cleaned up by itself, clearing Web Explorer’s cache and historical past of its presence. Whereas Google’s TAG would not know what payloads had been delivered, APT37 has beforehand disseminated exploits that triggered BLUELIGHT, ROKRAT, and DOLPHIN, all focusing on North Korea’s political and financial pursuits. (Nonetheless, North Korean hackers aren’t averse to a Chrome exploit.)

Microsoft patched the particular exploit in its JScript engine, however this being the fifth yr of distant code Phrase doc assaults, it seems to be like they will be round for some time but. And North Korean actors can be wanting to play them.