APT37 Leverages Internet Explorer Zero-Day to Target South Korean Users

Google Threat Analysis Group (TAG) researchers reported an APT37 campaign they observed in October 2022 leveraging the CVE-2022-41128 Internet explorer zero-day to target South Korean users.
APT37 Leverages Internet Explorer Zero-Day to Target South Korean Users

Context

APT37 is a known, sophisticated North Korean state-backed actor that has historically leveraged Internet Explorer zero-days to target North Korean defectors, government officials, journalists, and activists in South Korea.

Technical Details

CVE-2022-41128 was patched by Microsoft on November 8, 2022. According to Microsoft, “this vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message.”

According to Google researchers, “the vulnerability resides within “jscript9.dll”, the JavaScript engine of Internet Explorer, and can be exploited to execute arbitrary code when rendering an attacker-controlled website.”

According to Google researchers, multiple South Korean users submitted malicious Microsoft Office documents to VirusTotal. The documents used national tragedies in South Korea as lure themes and downloads a rich text file (RTF) remote template, which downloads remote HTML content.

Users need to disable protected view on the document for the remote RTF template to download. The exploit verifies that the cookie is set before launching and reports to the C2 server before and after executing. According to Google researchers, “the delivered shellcode uses a custom hashing algorithm to resolve Windows APIs. The shellcode erases all traces of exploitation by clearing the Internet Explorer cache and history before downloading the next stage.”

Google researchers were not able to determine the final payload of the campaign.

IOCs

Google researchers provided the following indicators of compromise (IOCs):

Indicator Type Notes
56ca24b57c4559f834c190d50b0fe89dd4a4040a078ca1f267d0bbc7849e9ed7 SHA256 Initial Documents
af5fb99d3ff18bc625fb63f792ed7cd955171ab509c2f8e7c7ee44515e09cebf SHA256 Initial Documents
926a947ea2b59d3e9a5a6875b4de2bd071b15260370f4da5e2a60ece3517a32f SHA256 Initial Documents
3bff571823421c013e79cc10793f238f4252f7d7ac91f9ef41435af0a8c09a39 SHA256 Initial Documents
c49b4d370ad0dcd1e28ee8f525ac8e3c12a34cfcf62ebb733ec74cca59b29f82 SHA256 Initial Documents
08f93351d0d3905bee5b0c2b9215d448abb0d3cf49c0f8b666c46df4fcc007cb SHA256 Remote RTF Template
word-template[.]net Domain C2 Server
openxmlformat[.]org Domain C2 Server
ms-office[.]services Domain C2 Server
ms-offices[.]com Domain C2 Server
template-openxml[.]com Domain C2 Server

More Recent Blog Posts