Google has filled the gaps in a curious zero-day flaw patched by Microsoft in its November Patch Tuesday.
The remote code execution vulnerability, known as CVE-2022-41128, affected one of Windows’ JavaScript scripting languages, JScript9, the JavaScript engine used in Internet Explorer 11 (IE11). The security flaw affects Windows versions from 7 to 11 as well as Windows Server from 2008 to 2022.
Internet Explorer is no longer supported by Microsoft since June 15th. Since then, the software giant has been encouraging its customers to use Edge and IE mode instead of the outdated browser. Still, Google found that IE-related security vulnerabilities continued to be exploited in Office documents. Indeed, the IE engine remains integrated into the office suite.
Who is exploiting this security flaw?
According to Clément Lecigne (who reported the flaw to Microsoft) and Benoit Sevens of Google TAG (Threat Analysis Group), the exploit was developed by North Korean hackers, APT37.
The TAG explains that the attackers chose to spread the exploit through an Office document because the office suite renders HTML content using IE. As of 2017, exploits using IE are typically delivered through Office for this same reason: even if you have set Chrome as your default browser, Office will still default to Internet Explorer when encountering HTML or web content.
“Delivering IE exploits through this vector has the advantage of not requiring the target to use Internet Explorer as their default browser, nor of chaining the exploit with an EPM sandbox escape,” the researchers point out.
Similar to another vulnerability discovered last year
The researchers also noted that this exploit is very similar to the CVE-2021-34480 vulnerability, discovered by Google Project Zero (GPZ) last year in the JIT compiler of IE11. GPZ’s analysis of the IE flaw also identified the IE JIT compiler.
At the time, GPZ researcher Ivan Fratric warned that despite Microsoft ending support for IE11, IE (or the IE engine) was still integrated into other products, including Microsoft. Office. Because of this still-existing integration, the researcher wondered how long it would take before attackers would stop abusing it.
APT37 at the controls
TAG researchers point out that in a typical scenario, when an IE exploit is sent by an Office document, the user must disable Office Protected View before the remote RTF is retrieved.
While Google’s Threat Analysis Group did not find the final payload for this campaign, it points out that APT37 (also known as ScarCruft and Reaper) used multiple implants such as ROKRAT, BLUELIGHT, and DOLPHIN. “APT37 implants typically use legitimate cloud services, such as a C2 channel, and enable capabilities typical of most backdoors. »
The TAG also praised Microsoft for the speed of its fix, which was delivered eight days after the malicious Office file was first scanned from VirusTotal.
Source: ZDNet.com