Security News > 2022 > December > Google Warns of Internet Explorer Zero-Day Vulnerability Exploited by ScarCruft Hackers
An Internet Explorer zero-day vulnerability was actively exploited by a North Korean threat actor to target South Korean users by capitalizing on the recent Itaewon Halloween crowd crush to trick users into downloading malware.
"The group has historically focused their targeting on South Korean users, North Korean defectors, policy makers, journalists, and human rights activists," TAG said in a Thursday analysis.
The new findings illustrate the threat actor's continued abuse of Internet Explorer flaws such as CVE-2020-1380 and CVE-2021-26411 to drop backdoors like BLUELIGHT and Dolphin, the latter of which was disclosed by Slovak cybersecurity firm ESET late last month.
It abuses yet another Internet Explorer zero-day flaw in the JScript9 JavaScript engine, CVE-2022-41128, that was patched by Microsoft last month.
The attack is enabled by the fact that Office renders HTML content using Internet Explorer.
Successful exploitation is followed by the delivery of a shellcode that wipes all traces by clearing the Internet Explorer cache and history as well as downloading the next stage payload. Google TAG said it could not recover the follow-on malware used in the campaign, although it's suspected to have involved the deployment of RokRat, BLUELIGHT, or Dolphin.
News URL
https://thehackernews.com/2022/12/google-warns-of-internet-explorer-zero.html
Related news
- Google: 97 zero-days exploited in 2024, over 50% in spyware attacks (source)
- Google Reports 75 Zero-Days Exploited in 2024 — 44% Targeted Enterprise Security Products (source)
- Commvault Confirms Hackers Exploited CVE-2025-3928 as Zero-Day in Azure Breach (source)
- Türkiye Hackers Exploited Output Messenger Zero-Day to Drop Golang Backdoors on Kurdish Servers (source)
- Hackers exploit VMware ESXi, Microsoft SharePoint zero-days at Pwn2Own (source)
- Hackers earn $1,078,750 for 28 zero-days at Pwn2Own Berlin (source)
- Chinese hackers breach US local governments using Cityworks zero-day (source)
- Employees Searching Payroll Portals on Google Tricked Into Sending Paychecks to Hackers (source)
- New Chrome Zero-Day Actively Exploited; Google Issues Emergency Out-of-Band Patch (source)
- Google patches new Chrome zero-day bug exploited in attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-11-09 | CVE-2022-41128 | Out-of-bounds Write vulnerability in Microsoft products Windows Scripting Languages Remote Code Execution Vulnerability | 8.8 |
| 2021-03-11 | CVE-2021-26411 | Use After Free vulnerability in Microsoft Edge and Internet Explorer Internet Explorer Memory Corruption Vulnerability | 0.0 |
| 2020-08-17 | CVE-2020-1380 | Out-of-bounds Write vulnerability in Microsoft Internet Explorer 11 A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. | 0.0 |