Google has filled in the blanks about a curious zero-day flaw that Microsoft addressed in its November Patch Tuesday.
The remote code execution flaw, tracked as CVE-2022-41128, was in one of its Windows JavaScript scripting languages, JScript9 — the JavaScript engine used in IE11. The bug affected Windows 7 through to Windows 11 as well as Windows Server 2008 through 2022.
Microsoft ended support for IE11 on June 15, 2022 and has been encouraging customers to use Edge instead with ‘IE mode’, but Google has found this type of IE bug continues to be exploited in Office documents because the IE engine remains integrated with Office.
And who were the actors behind the newly discovered exploit for legacy IE 11?
According to TAG members Clement Lecigne (who reported the flaw to Microsoft) and Benoit Sevens, the IE exploit was developed by North Korean actors APT37.
The attackers distributed the IE exploit in an Office document because, as TAG explains, Office renders HTML content using IE. IE exploits have been delivered via Office since 2017 for this reason because even if Chrome is set as the default, Office defaults to the IE engine when it encounters HTML or web content.
“Delivering IE exploits via this vector has the advantage of not requiring the target to use Internet Explorer as its default browser, nor to chain the exploit with an EPM sandbox escape,” the threat analysts note.
They also note that this is a very similar to a the bug, CVE-2021-34480, that Google Project Zero (GPZ) found last year in IE 11’s JIT compiler. GPZ’s analysis of the new IE flaw also traced it to IE’s JIT compiler.
At the time, GPZ researcher Ivan Fratric noted that although Microsoft had ended support for IE 11, IE (or the IE engine) was still integrated into other products, most notably, Microsoft Office. Due to that still-existing integration, Fratric wondered how long it would take before attackers stop abusing it.
TAG notes that in a typical scenario when an IE exploit is delivered in an Office document, the user would have to disable Office Protected View before the remote RTF is fetched.
TAG didn’t find the the final payload for this campaign, however they noted that APT37 (also known as ScarCruft and Reaper) has used several implants like ROKRAT, BLUELIGHT, and DOLPHIN.
“APT37 implants typically abuse legitimate cloud services as a C2 channel and offer capabilities typical of most backdoors,” TAG notes.
TAG also commended Microsoft for the quick patch, which it delivered eight days after Google first analyzed the malicious Office file from VirusTotal.
For all the latest Technology News Click Here
For the latest news and updates, follow us on Google News.