North Korean APT37 Hackers Exploited IE Zero-Day Vulnerability Remotely

Google Threat Analysis team discovered an incident involving the North Korean APT37 hackers group. They exploited an Internet Explorer Zero day vulnerability.

Threat actors tried to exploit this vulnerability by using a weaponized file that was also used to target victims in South Korea. This APT37 is believed to have been a state-sponsored hacker organization operating under the North Korean government.

A zero-day Internet Explorer vulnerability ( ) is located in the JScript engine. This allows attackers execute arbitrary code to exploit the flaw. After successful attempts, actors can take full control of the browser and the victim will load the malicious website.

Google Threat Analysis Group .

IE0-Day (CVE-202-21128) Technical Analysis

Multiple submissions of malicious Microsoft Office documents were uploaded from South Korea to Virus Total Engine ” 221031 Seoul Yongsan Itaewon incident response situation (06:00).docx”. This refers the large South Korean Halloween incident which caused several deaths.

After clicking on the file, a remote rich text template (RTF), is downloaded. This remote template can be used to fetch remote HTML content. It renders only through IE. The technique has been widely utilized by many hackers.

This vector allows you to deliver IE exploits to the target without requiring them to use Internet Explorer. It also doesn’t require the victim to link the exploit to an EPM sandbox escape.

The Zero Day Exploit

This malicious file has been applied using the MotW feature (Mark-of-the-Web), which is a Windows function that protects users from files coming from unknown sources. Users are tricked by actors to disable protected views before remote RTF templates can be fetched.

The web server creates a cookie when it sends the remote RTF. This cookie is used to identify the requester and is then sent back again for the remote HTML content. It is possible that this detects HTML exploit code fetches not related to a genuine infection.

The Javascript exploit also double-checked that the cookie had been set prior to launching the exploit. It reported back to the command and control server two times while dropping it and once it was executed successfully.

Windows API was resolved using Shell code and the customized hash algorithm. The interesting thing is that Shellcode cleared all exploitation tracks in browsers and cleared the caches, before downloading the next stage.

In the course of their campaign, hackers also launched malicious documents to try and exploit the vulnerability.

Researchers were unable to recover the payload final, but they did find that it was connected with other implants, such as and and .

IOCs (Indicators of Compromis)

Initial documents:

• 56ca24b57c4559f834c190d50b0fe89dd4a4040a078ca1f267d0bbc7849e9ed7
• af5fb99d3ff18bc625fb63f792ed7cd955171ab509c2f8e7c7ee44515e09cebf
• 926a947ea2b59d3e9a5a6875b4de2bd071b15260370f4da5e2a60ece3517a32f
• 3bff571823421c013e79cc10793f238f4252f7d7ac91f9ef41435af0a8c09a39
• c49b4d370ad0dcd1e28ee8f525ac8e3c12a34cfcf62ebb733ec74cca59b29f82

Remote TTF Template:

• 08f93351d0d3905bee5b0c2b9215d448abb0d3cf49c0f8b666c46df4fcc007cb

Secure Web Gateway, Web Filter Rules Activity Tracking and Malware Protection.