North Korea-linked hacking group APT37, aka Scarcruft or Reaper, is abusing a zero-day vulnerability in the JScript engine of Internet Explorer. It exploits the bug to infect South Korean targets with malware.
The active exploitation
Google's Threat Analysis Group (TAG) revealed that, in late October, multiple South Koreans uploaded a malicious Microsoft Office document sample on VirusTotal.
On opening the document, it delivers an unknown payload after downloading an RTF remote template that would render remote HTML using Internet Explorer.
The HTML content loading allows the attackers to abuse the zero-day vulnerability (CVE-2022-41128) in Internet Explorer even if it is not used as a default web browser.
Experts are not sure of the final payload for this campaign, however, they evaluate it can be ROKRAT, BLUELIGHT, or DOLPHIN, which the group distributed previously.
About the vulnerability
Microsoft had already patched the vulnerability during November’s Patch Tuesday.
It earned a CVSS score of 8.8 and threat actors can exploit it to execute arbitrary code when rendering a maliciously crafted website.
It can be used to foist malicious software on vulnerable users who do nothing more than browse to a hacked or malicious site that exploits the weakness.
APT37 has typically used zero-days in its earlier operations and, with this discovery, its inclination toward the exploitation of zero-days becomes apparent. Organizations especially in South Korea are recommended to strengthen protections across the ecosystem by patching the known vulnerabilities as soon as possible.