The Web Explorer internet browser was formally retired again in June earlier this yr and has since been changed by Microsoft Edge. Nevertheless, as TAG’s technical evaluation explains, Workplace remains to be utilizing the IE engine to execute the JavaScript that allows the assault, which is why it labored on Home windows 7 by means of 11 and Home windows Server 2008 by means of 2022 machines that haven’t put in new November 2022 safety updates.
TAG grew to become conscious of the vulnerability when the malicious Microsoft Workplace paperwork titled “221031 Seoul Yongsan Itaewon accident response state of affairs (06:00).docx” had been uploaded to VirusTotal on October thirty first, 2022. The paperwork took benefit of widespread publicity over the tragedy in Itaewon on October twenty ninth by which 151 individuals misplaced their lives in a crowd crush throughout a Halloween celebration in Seoul.
The assault is believed to be the work of a bunch of North Korean government-backed actors often known as APT37
The doc exploited an Web Explorer zero-day vulnerability discovered inside “jscript9.dll,” the JavaScript engine of Web Explorer, which could possibly be used to ship malware or malicious code when rendering an internet site managed by the attacker. TAG attributes the assault to a bunch of North Korean government-backed actors often known as APT37, which has beforehand used comparable Web Explorer zero-day exploits in focused assaults in opposition to North Korean defectors, policymakers, journalists, human rights activists, and South Korean IE customers normally.
TAG says inside the blog post that it “didn’t recuperate a remaining payload for this marketing campaign” however notes that it beforehand noticed APT37 utilizing comparable exploits to ship malware similar to Rokrat, Bluelight, and Dolphin. On this occasion, the vulnerability was reported to Microsoft inside hours of its discovery on October thirty first and was patched out on November eighth.