Updated on 2022-12-08: North Korea’s APT37 Hackers Exploited Internet Explorer JScript9 Engine Zero-Day
Hackers linked to North Korea have been exploiting a zero-day type-confusion vulnerability in Internet Explorer’s JScript9 engine. Google’s Project Zero detected the vulnerability, which affects Windows 7 though 11 and Windows Server 2008 through 2022 prior to patches Microsoft released in November. APT has been exploiting the vulnerability to spread malware embedded in documents.
Note
- You may consider Internet Explorer “legacy” at this point. But it may still be used to render content in Office documents.
- North Korea, while a fairly underfunded state, still has this innovating team of individuals who find interesting ways to abuse Windows. Don’t underestimate their technical capabilities; they can still be effective. This is a classic one. Who would have thought IE11 is still the core rendering engine for HTML in Office in 2022? It would be as if I said IE6 was being used to render HTML in Adobe Reader. It’s rather shocking, but maybe not surprising.
Read more in
- CVE-2022-41128: Type confusion in Internet Explorer’s JScript9 engine
- Hackers are still finding – and using – flaws in Internet Explorer
- North Korean hackers once again exploit Internet Explorer’s leftover bits
- North Korea hits new low by using Seoul Halloween tragedy to exploit Internet Explorer zero-day
- APT37 Uses Internet Explorer Zero-Day to Spread Malware
- North Korean Hackers Look to Internet Explorer Zero Days
- North Korean APT37 Used Internet Explorer Zero Day
Updated on 2022-12-07: ScarCruft’s Chinotto
Korea’s CERT team has put out a report on Chinotto, a malware strain used by ScarCruft, a North Korean APT. Read more: TTPs #9: 개인의 일상을 감시하는 공격전략 분석
Updated on 2022-12-02
North Korea-linked APT37, aka ScarCruft, was found leveraging a previously undocumented backdoor, named Dolphin, against South Korean entities. Read more: Who’s swimming in South Korean waters? Meet ScarCruft’s Dolphin
Updated on 2022-12-01: ScarCruft’s Dolphin
ESET has put out a report on Dolphin, a new backdoor they spotted in attacks carried out by the ScarCruft APT. The malware can monitor local drives for specific content, steal files of interest, monitor keystrokes, take screenshots, and extract and steal credentials from browsers. Evidence suggests the backdoor has been used in attacks as early as April 2021. Read more: Who’s swimming in South Korean waters? Meet ScarCruft’s Dolphin
“A notable feature of earlier Dolphin versions we analyzed is the ability to modify the settings of victims’ signed-in Google and Gmail accounts to lower their security.”
Overview: CloudMensis=Scarcruft
In a series of tweets on Wednesday, ESET said it was able to finally attribute an APT operation targeting macOS users that they spotted in July (which they named CloudMensis) to the ScarCruft North Korean cyber-espionage group.
Read more in
In July, #ESETresearch reported on macOS spyware we dubbed CloudMensis. In the blogpost, we left the malware unattributed. However, further analysis showed similarities with a Windows malware called #RokRAT, a #ScarCruft tool. @marc_etienne_, @pkalnai 1/9 https://t.co/7RFLwC952J
— ESET Research (@ESETresearch) September 28, 2022
