Enlarge / APT37, a group believed to be backed by the North Korean government, has successfully exploited the parts of Internet Explorer that still exist in various Windows-based apps.
Aurich Lawson | Getty Images
Microsoft’s Edge browser has replaced Internet Explorer in almost every way, but a few exceptions remain. One of them, deep within Microsoft Word, was exploited by a North Korean-backed group this fall, Google security researchers claim.
It’s not the first time the government-backed APT37 has taken advantage of Internet Explorer’s continued presence, Google’s Threat Analysis Group (TAG) notes in a blog post. APT37 has had repeated success in targeting South Korean journalists and activists, as well as North Korean defectors, through a limited but still successful Internet Explorer path.
The latest exploit targeted those who went to Daily NK, a South Korean website dedicated to North Korean news. This concerned the mass rush on Halloween in Itaewon, in which at least 151 people died. A Microsoft Word .docx document, named as if it was time and dated less than two days after the incident and labeled “Accident Response Situation,” began to circulate. South Korean users began submitting the document to Google’s VirusTotal, where it was flagged as CVE-2017-0199, a long-known vulnerability in Word and WordPad.
Enlarge / The document in question is allegedly linked to a deadly stampede in Itaewon, South Korea, in late October.
Just as in April 2017, when you click on it to allow Word/WordPad to view it outside of “Protected View” without downloading it, the document downloads a rich-text template from an attacker-controlled server and then grabs it more HTML that looks like rich templates for text formats. Office and WordPad use Internet Explorer to render HTML into what Microsoft calls “specially crafted files,” and then allow attackers to inject various malware payloads. Although patched in the same month, the vulnerability persisted; it was one of the vectors exploited in a Petya wave more than a year later.
advertisement
The specific vulnerability is related to Internet Explorer’s JavaScript engine. A just-in-time optimization error leads to data type confusion and memory writes. This particular exploit also cleaned up after itself, deleting Internet Explorer cache and history of its presence. While Google’s TAG does not know which payloads were delivered, APT37 has previously circulated exploits that triggered BLUELIGHT, ROKRAT and DOLPHIN, all of which focused on North Korea’s political and economic interests. (North Korean hackers are not averse to a Chrome exploit, however.)
Microsoft has patched the specific exploit in its JScript engine, but this is the fifth year of remote code Word Doc attacks, it seems like they’ll be around for a while longer. And North Korean actors will be eager to respond.