Internet Explorer's scripting engine was the favorite target of a North Korean cyber-espionage group this year, after the hackers deployed two zero-days, but also crafted new exploits for two other older vulnerabilities.
The group's name is DarkHotel, a cyber-espionage group that McAfee and many other cyber-security firms have already linked to the Pyongyang regime.
The group has been active since 2007, but it was publicly exposed in 2014 when Kaspersky published a now-infamous report detailing a complex hacking operation that involved breaching the internal WiFi networks of hundreds of hotels in order to infect high-profile guests with malware.
Despite being ousted in public reports, DarkHotel didn't stop its attacks, continuing to target victims --and most recently political figures in 2016 and 2017-- with the same tactic.
But they also ran other operations. In one of them, the group --which in cyber-security circles goes by many different names such as APT-C-06, Dubnium, Fallout Team, Karba, Luder, Nemim, SIG25, and Tapaoux-- also hid malware inside a copy of North Korea's antivirus sent to foreign researchers for study.
DarkHotel hackers had a fixation with Internet Explorer
But in 2018, the group has been especially active and has been seen numerous times targeting the same technology --Internet Explorer's VBScript scripting engine.
This year, researchers say DarkHotel hackers found and exploited a first IE zero-day (CVE-2018-8174) in April, and then a second (CVE-2018-8373) in August. Microsoft patched both, in May and September, respectively.
But according to a new report published today, researchers at Qihoo 360 Core say the group has also created new exploits for two older IE scripting engine vulnerabilities --namely CVE-2017-11869 and CVE-2016-0189.
"After analysis, we found that the obfuscation and exploitation of these four [exploits] are highly consistent," said Qihoo 360 Core researchers. "We suspect that they are from the same hacker (or hacking group)."
Zero-days are hard to discover and even harder to weaponize in usable exploits. Creating new exploits for old bugs isn't a walk in the part, either.
We may never know why DarkHotel is expending so many resources into targeting Internet Explorer, but the trend is quite visible for all APT researchers.
IE's VBScript engine living out its last days
Internet Explorer's VBScript scripting engine isn't your top notch Microsoft technology either. It's an ancient piece of code from the early days of Windows and Internet Explorer that has always been plagued by quite a large number of vulnerabilities.
Microsoft became well aware of this component's security flaws many years ago. That's why, in July 2017, Microsoft announced that it was disabling the automatic execution of VBScript code in the latest IE version that was included with the Windows 10 Fall Creators Update, released in the fall of last year.
That change meant that hackers couldn't use VBScript code to attack users via Internet Explorer in Windows 10. Microsoft also promised patches to disable VBScript code execution in IE versions on older Windows releases.
That change stopped many cybercrime operations, but DarkHotel seems to have adapted to Microsoft's recent VBScript deprecation announcement.
According to reports, DarkHotel apparently opted to use VBScript exploits embedded inside Office documents and did not target Internet Explorer users via the browser directly.
Instead, DarkHotel sent Word documents to victims, documents in which they loaded a malicious web page via embeddable IE frames. DarkHotel hackers chose wisely because, for these instances, VBScript code execution was still permitted.
Based on the current evidence, it appears that in 2018, the group has gone all-in on VBScript exploits before they become totally useless
As Microsoft continues to disable VBScript execution for more and more users, we might have witnessed a cyber-espionage group emptying its VBScript arsenal in a desperate attempt to weaponize hacking tools before they become worthless in the coming years.
Related security coverage:
- Adobe ColdFusion servers under attack from APT group
- Cambodia's ISPs hit by some of the biggest DDoS attacks in the country's history
- US Cyber Command starts uploading foreign APT malware to VirusTotal
- Cisco updates ASR 9000 edge routing platform to carry users to 5G TechRepublic
- Microsoft working on porting Sysinternals to Linux
- Hackers breach StatCounter to hijack Bitcoin transactions on Gate.io exchange
- WPA3 Wi-Fi is here, and it's harder to hack CNET
- Ahead of US midterms, Facebook removes 30 accounts and 85 Instagram profiles