Context
APT37 is a known, sophisticated North Korean state-backed actor that has historically leveraged Internet Explorer zero-days to target North Korean defectors, government officials, journalists, and activists in South Korea.
Technical Details
CVE-2022-41128 was patched by Microsoft on November 8, 2022. According to Microsoft, “this vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message.”
According to Google researchers, “the vulnerability resides within “jscript9.dll”, the JavaScript engine of Internet Explorer, and can be exploited to execute arbitrary code when rendering an attacker-controlled website.”
According to Google researchers, multiple South Korean users submitted malicious Microsoft Office documents to VirusTotal. The documents used national tragedies in South Korea as lure themes and downloads a rich text file (RTF) remote template, which downloads remote HTML content.
Users need to disable protected view on the document for the remote RTF template to download. The exploit verifies that the cookie is set before launching and reports to the C2 server before and after executing. According to Google researchers, “the delivered shellcode uses a custom hashing algorithm to resolve Windows APIs. The shellcode erases all traces of exploitation by clearing the Internet Explorer cache and history before downloading the next stage.”
Google researchers were not able to determine the final payload of the campaign.
IOCs
Google researchers provided the following indicators of compromise (IOCs):
Indicator | Type | Notes |
56ca24b57c4559f834c190d50b0fe89dd4a4040a078ca1f267d0bbc7849e9ed7 | SHA256 | Initial Documents |
af5fb99d3ff18bc625fb63f792ed7cd955171ab509c2f8e7c7ee44515e09cebf | SHA256 | Initial Documents |
926a947ea2b59d3e9a5a6875b4de2bd071b15260370f4da5e2a60ece3517a32f | SHA256 | Initial Documents |
3bff571823421c013e79cc10793f238f4252f7d7ac91f9ef41435af0a8c09a39 | SHA256 | Initial Documents |
c49b4d370ad0dcd1e28ee8f525ac8e3c12a34cfcf62ebb733ec74cca59b29f82 | SHA256 | Initial Documents |
08f93351d0d3905bee5b0c2b9215d448abb0d3cf49c0f8b666c46df4fcc007cb | SHA256 | Remote RTF Template |
word-template[.]net | Domain | C2 Server |
openxmlformat[.]org | Domain | C2 Server |
ms-office[.]services | Domain | C2 Server |
ms-offices[.]com | Domain | C2 Server |
template-openxml[.]com | Domain | C2 Server |