Google is blaming North Korean hackers for exploiting a previously unknown vulnerability in Microsoft’s Internet Explorer to spread malware to victims in South Korea.
The company learned of the vulnerability on Oct. 31 when users began submitting a malicious document to Google’s Virustotal service, which can check files for malware. The malicious document was about the tragic “crowd crush(Opens in a new window)” incident that occurred two days earlier in Itaewon, South Korea, where at least 158 people died during Halloween festivities.
(Credit: Google)
The malicious document was dressed up to look like an official government statement about the tragedy. But in reality, the file was booby-trapped to exploit a new vulnerability in Internet Explorer likely capable of loading a backdoor on the victim’s computer.
The attack may seem irrelevant since Internet Explorer is officially dead and barely used(Opens in a new window). However, the hackers designed the malicious document to fetch remote HTML content. If the document is opened with Microsoft Office, the software will render the HTML content using Internet Explorer
“This technique has been widely used to distribute IE exploits via Office files since 2017,” Google security researchers wrote(Opens in a new window) in a blog post on Wednesday. “Delivering IE exploits via this vector has the advantage of not requiring the target to use Internet Explorer as its default browser.”
Google investigation found that hackers were abusing a previously unknown zero-day vulnerability in the JavaScript engine for Internet Explorer to execute rogue computer code on victims’ computers. The company failed to uncover the final payload in the attack, but has attributed the malicious document to a North Korean hacking group dubbed APT37, which is known for spreading several kinds of backdoors that can hijack a computer. Google didn’t say how it attributed the malicious documents to the North Korean hackers, though.
Recommended by Our Editors
The good news is that Microsoft was quick to patch(Opens in a new window) the flaw on Nov. 8 after Google flagged the vulnerability. It’s also important to note that Microsoft Office could only trigger the vulnerability if the user disabled “Protected View(Opens in a new window)” on the document and enabled editing.
In the meantime, Google is warning: “This is not the first time(Opens in a new window) APT37 has used Internet Explorer zero-day exploits to target users. The group has historically focused their targeting on South Korean users, North Korean defectors, policy makers, journalists and human rights activists.”
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Hits: 0
