Google Warns of Web Explorer Zero-Day Vulnerability Exploited by ScarCruft Hackers

Dec 08, 2022Ravie LakshmananPatch Administration / Zero-Day

Internet Explorer Zero-Day Vulnerability

An Web Explorer zero-day vulnerability was actively exploited by a North Korean risk actor to focus on South Korean customers by capitalizing on the current Itaewon Halloween crowd crush to trick customers into downloading malware.

The invention, reported by Google Risk Evaluation Group researchers Benoît Sevens and Clément Lecigne, is the newest set of assaults perpetrated by ScarCruft, which can also be referred to as APT37, InkySquid, Reaper, and Ricochet Chollima.

“The group has traditionally centered their focusing on on South Korean customers, North Korean defectors, coverage makers, journalists, and human rights activists,” TAG mentioned in a Thursday evaluation.

The brand new findings illustrate the risk actor’s continued abuse of Web Explorer flaws reminiscent of CVE-2020-1380 and CVE-2021-26411 to drop backdoors like BLUELIGHT and Dolphin, the latter of which was disclosed by Slovak cybersecurity agency ESET late final month.

One other key software in its arsenal is RokRat, a Home windows-based distant entry trojan that comes with a variety of features that permit it to seize screenshots, log keystrokes, and even harvest Bluetooth gadget info.

Internet Explorer Zero-Day Vulnerability

The assault chain noticed by Google TAG entails the usage of a malicious Microsoft Phrase doc that was uploaded to VirusTotal on October 31, 2022. It abuses yet one more Web Explorer zero-day flaw within the JScript9 JavaScript engine, CVE-2022-41128, that was patched by Microsoft final month.

The file references the October 29 incident that came about within the Itaewon neighborhood of Seoul and exploits public curiosity within the tragedy to retrieve an exploit for the vulnerability upon opening it. The assault is enabled by the truth that Workplace renders HTML content material utilizing Web Explorer.

Because the MalwareHunterTeam factors out, the identical Phrase file was beforehand shared by the Shadow Chaser Group on October 31, 2022, describing it as an “attention-grabbing DOCX injection template pattern” that originated from Korea.

Profitable exploitation is adopted by the supply of a shellcode that wipes all traces by clearing the Web Explorer cache and historical past in addition to downloading the following stage payload.

Google TAG mentioned it couldn’t recuperate the follow-on malware used within the marketing campaign, though it is suspected to have concerned the deployment of RokRat, BLUELIGHT, or Dolphin.

“It isn’t shocking that they proceed to focus on South Korean customers,” ESET malware analyst Filip Jurčacko advised The Hacker Information. “We’ve not seen ScarCruft use zero-day exploits for a while. Beforehand, they had been repurposing public PoCs of n-day exploits.”

“Given the rarity/shortage of zero-day exploits, we anticipate ScarCruft would use it together with a few of their extra subtle backdoors reminiscent of Dolphin. Furthermore, the workplace theme of [command-and-control] domains matches earlier campaigns.”

Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we publish.

Supply By

Related posts