Google has provided further information regarding a peculiar zero-day vulnerability that was patched by Microsoft in November.

Internet Explorer 11 uses the JavaScript engine known as JScript9, which has the remote code execution issue CVE-2022-41128. Operating systems from Windows 7 to Windows 11 and servers from Windows Server 2008 through 2022 were all vulnerable to the flaw.

Due to the continued integration of the IE engine with Office, Google has discovered that this particular IE flaw is still being exploited in Office documents despite Microsoft’s June 15, 2022 end of support for IE11.

Who exactly was responsible for the recently revealed vulnerability in IE 11?

North Korean operatives APT37 created the IE vulnerability, according to TAG members Clement Lecigne (who disclosed the bug to Microsoft) and Benoit Sevens.

As TAG explains, Office renders HTML information using IE, therefore the attackers spread the vulnerability by embedding it in an Office document. Since 2017, IE vulnerabilities have been transmitted via Office because, even if Chrome is configured as the default, Office defaults to the IE engine when it detects HTML or online content.

“Delivering IE exploits via this vector has the advantage of not requiring the target to use Internet Explorer as the default browser,” the threat analysts write.

In addition, they point out that this is quite similar to the vulnerability in IE 11’s JIT compiler that Google Project Zero (GPZ) discovered last year (CVE-2021-34480). The latest IE vulnerability was likewise tracked down by GPZ’s study to IE’s JIT compiler.

Then-GPZ researcher Ivan Fratric pointed out that even though Microsoft had discontinued support for IE 11, IE (or the IE engine) was still incorporated into other programmes, including Microsoft Office. Fratric questioned how long it would be until attackers stopped leveraging this still-existing integration.

TAG points out that if an IE exploit were to be supplied in an Office document, the user would often have to turn off Office Protected View before fetching the remote RTF.

Although TAG did not uncover the whole payload for this campaign, they did discover that APT37 (also known as ScarCruft and Reaper) had used the utilisation of implants such as ROKRAT, BLUELIGHT, and DOLPHIN.

When it comes to capabilities, “APT37 implants often misuse genuine cloud services as a C2 channel,” TAG says.

TAG also praised Microsoft for releasing a fix so quickly, only eight days after Google’s first VirusTotal analysis of the malicious Office file.