Once again North Korean threat actor dubbed APT37 was seen using another 0-day exploit of Internet explorer (CVE-2022-41128)in the wild by the google TAG team. This is not the first time APT37 using any 0-day exploit they are targeting South Korean users for years. TAG team reported the issue to Microsoft and Microsoft has already taken the necessary steps and released the patch.
APT37 targets the public and private sectors of South Korea and active since 2012. This threat actor is not limited to South Korea but also expend the targeting to Japan, Vietnam, and the Middle East. Previously they were caught using CVE-2020-1380 and CVE-2021-26411 with a backdoor like BLUELIGHT, Dolphin and Eset noticed continued and improved development by this actor over time.
This time APT37 took advantage of the recent incident in Seoul, a neighborhood of Itaewon because of this incident was in the public interest.
"The delivered shellcode uses a custom hashing algorithm to resolve Windows APIs. The shellcode erases all traces of exploitation by clearing the Internet Explorer cache and history before downloading the next stage. The next stage is downloaded using the same cookie that was set when the server delivered the remote RTF.
Although we
did not recover a final payload for this campaign, we’ve previously
observed the same group deliver a variety of implants like ROKRAT, BLUELIGHT, and DOLPHIN. APT37 implants typically abuse legitimate cloud services as a C2 channel and offer capabilities typical of most backdoors." TAG team wrote.
No comments:
Post a Comment