Skip to main content
close search
site logo

Internet Explorer is still a viable zero-day attack vector

North Korea-linked threat actors are using a technique that has been widely used to exploit Internet Explorer via Office files since 2017, Google found.

Published Dec. 7, 2022
Matt Kapko's headshot
Senior Reporter
Microsoft signage displayed
A signage of Microsoft is seen on March 13, 2020 in New York City. Jeenah Moon via Getty Images

Internet Explorer remains a viable attack vector and a recurring one for APT37, a group of malicious actors backed by the North Korean government, according to a Google Threat Analysis Group blog post released Wednesday.

The group exploited a previously unknown zero-day vulnerability to attack individuals based in South Korea with malware embedded in a Microsoft Office document.

APT37, which has exploited previous Internet Explorer zero-day vulnerabilities, manipulated widespread interest in the response to the fatal crowd crush on Oct. 29 in Seoul by including keywords referencing the tragedy in the malicious document.

The deadly crush during Halloween celebrations in a narrow alley of Seoul’s Itaewon neighborhood resulted in 156 deaths. Most of the victims were in their teens and 20s.

Google’s Threat Analysis Group discovered the zero-day vulnerability on Oct. 31 when multiple individuals uploaded the malicious file to VirusTotal. Google notified Microsoft that same day and the vulnerability was labeled and tracked as CVE-2022-41128 on Nov. 3 with a CVSS score of 8.8.

Microsoft released a patch for the remote code execution vulnerability on Nov. 8. Microsoft declined to provide details about how many potential victims are at risk or the extent to which the vulnerability is being actively exploited in the wild.

The vulnerability in the JavaScript engine of Internet Explorer bears strong similarities to CVE-2021-34480, according to Google’s Threat Analysis Group.

The malicious document, which requires a user to disable protected view, downloads a rich text file remote template that fetches remote HTML content.

“Because Office renders this HTML content using Internet Explorer, this technique has been widely used to distribute Internet Explorer exploits via Office files since 2017,” Clement Lecigne and Benoit Sevens, security researchers at Google’s Threat Analysis Group, wrote in a blog post.

“Delivering Internet Explorer exploits via this vector has the advantage of not requiring the target to use Internet Explorer as its default browser, nor to chain the exploit with an EPM sandbox escape,” Lecigne and Sevens added.

Google’s Threat Analysis Group said it identified other malicious documents likely exploiting the same vulnerability with similar targeting, suggesting it could be part of the same campaign.

APT37 has been active for at least a decade, according to Mitre, and historically targets individuals in South Korea, North Korean defectors, policymakers, journalists and human rights activists.

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Releases First-of-Its-Kind Open-Source DCV Library to Elevate Industry Standards
From DigiCert
December 18, 2024
Migliaccio and Rathod Investigates Byte Federal Data Breach
From Migliaccio and Rathod
December 12, 2024
Only Cynet Delivers 100% Protection and 100% Detection Visibility in the 2024 MITRE ATT&CK Eva…
From Cynet Security
December 11, 2024
Rumpke Data Breach Investigation
From Migliaccio and Rathod
December 11, 2024
Editors' picks
Latest in Vulnerability
Industry Dive is an Informa TechTarget business.
© 2024 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.