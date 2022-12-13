Researchers at Google’s cybersecurity division identified a ‘zero day’ security hole in the discontinued Internet Explorer browser in the third quarter of this year. According to reports, a group of North Korean cybercriminals used the vulnerability for an Office document using the name of the government to deceive victims. The malicious file named “221031 Seoul Yongsan Itaewon accident response situation (06:00).docx” simulates a government text about a riot that took place in the streets of Itaewon, a district in Seoul, the Chinese capital, which killed more than 150 people at a Halloween party in October.

According to a report by Google experts, the high severity breach CVE-2022-41128 downloads a remote RTF template that loads the remote HTML language using Internet Explorer, a program still used by Microsoft to execute JavaScript making it possible to open files and texts compatible with the service even affecting those who only have the browser installed. Aware of the problem, Google sent a notice to Microsoft so that the Redmond giant corrected the problem as soon as possible in order to avoid exposing the security of users; for now, there are still no details on the number of possible victims of the APT37 group in recent months from the end of October.

“While we did not retrieve a final payload for this campaign, we have previously observed the same group delivering a variety of implants such as ROKRAT, BLUELIGHT and DOLPHIN,” Lecigne and Stevens said. “APT37 implants typically abuse legitimate cloud services like a C2 channel and offer features typical of most backdoors.”