North Korean Hackers Exploit Recently Patched Zero-Day
21.8.18 securityweek  BigBrothers  
Exploit 

North Koren hackers are exploiting a recently patched vulnerability in Microsoft's VBScript engine vulnerability in live attacks, security researchers say.

Tracked as CVE-18-8373, the bug was identified as a memory corruption issue that would result in remote code execution in the context of the current user. The flaw resides in the manner in which the VBScript scripting engine handles objects in memory in Internet Explorer.

“[A]n attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine,” Microsoft said.

Impacting the VBScript engine in the latest versions of Windows, the vulnerability does not affect Internet Explorer 11, as “VBScript in Windows 10 Redstone 3 (RS3) has been effectively disabled by default,” Trend Micro, the security firm that discovered the flaw last month, says.

The security company also notes that the discovered exploit sample uses the same obfuscation technique as exploits for CVE-18-8174, a VBScript engine remote code execution flaw that Microsoft addressed in May.

The method for exploiting CVE-18-8373 and running shellcode is also similar to the CVE-18-8174 exploits, which further suggests that the same author is behind both. The creator used a new use-after-free (UAF) vulnerability in vbscript.dll, which remained unpatched in the latest VBScript engine, Trend Micro says.

Last week, Dustin Childs, communications manager for the ZDI, told SecurityWeek that the similarities between these flaws seem more than coincidental. He also pointed out that further exploits could emerge from the same group.

While Trend Micro did not attribute the attacks to a specific actor, Qihoo 360’s security researchers claim that the North Korean threat actor known as DarkHotel is behind both exploits.

The researchers say the domain name used by the zero-day exploit is the same they observed in May being used for CVE-18-8174’s exploitation and that it is indeed linked to DarkHotel.

Qihoo 360, which has been tracking DarkHotel for a while, appears confident that this is the threat actor that has been exploiting CVE-18-8373 since before it was patched.

“Based on our analysis, this vulnerability can be steadily exploited. Moreover, since it is the second VB engine exploit found in the wild this year, it is not far-fetched to expect other vulnerability findings in the VB engine in the future,” Trend Micro said.

First detailed in 2014, the DarkHotel advanced persistent threat (APT) actor was recently said to be connected to the infamous Lazarus Group. Based on the reuse of code between various malware families attributed to North Korean actors, Intezer and McAfee concluded that most of the malicious tools link back to Lazarus.