Google: State hackers still exploiting Internet Explorer zero-days

Google’s Threat Analysis Group (TAG), today revealed that APT37, a North Korean hacker group known as APT37, exploited an Internet Explorer vulnerability previously unknown (known as zero-day) in order to infect South Korean victims with malware.

Google TAG received information about this attack from multiple VirusTotal users in South Korea on October 31, when they uploaded a malign Microsoft Office document titled “221031 Seoul Yongsan Itaewon accident situation response situation (06:00).docx.”

After being opened by the victim’s devices, it would contain an unknown payload. The remote template (rich text file) would be downloaded to the remote target and rendered remote HTML via Internet Explorer.

Remotely loading the HTML content that provided the exploit allows attackers to exploit the IE Zero-Day even if they aren’t using it for their default browser.

The vulnerability, tracked as is caused by a flaw in Internet Explorer’s JavaScript engine. This allows attackers to successfully exploit the weakness to execute any code that they want to render a maliciously constructed website.

Microsoft fixed it in . This was five days after it received a CVEID from TAG on October 31.

Malicious Office document used as lure by APT37 hackers (Google TAG)

There was no information about malware sent to victims’ computers

Although Google TAG was unable to analyze the malicious payload that the North Korean hackers distributed on South Korean computers of their targets, these threat actors have a reputation for using a variety of malware as part their attacks.

Clement Lecigne of Google TAG and Benoit Stephens stated that although we didn’t recover the final payload, they’ve seen similar groups deliver implants such as ROKRAT and BLUELIGHT before.

“APT37 Implants typically use legitimate cloud services to channel C2 and provide capabilities that are typical of many backdoors.”

APT37 is active since 2012 and has been connected to the North Korean government in high confidence by FireEye for approximately a decade.

This threat group has a reputation for targeting individuals who are interested in the North Korean regime. They include dissidents and diplomats as well journalists, activists, rights activists, government workers, and human rights activists.