Zero-day vulnerability in Microsoft's VBScript, whether a North Korean hacker group is misused

Microsoft's " VBScript " is a Visual Basic- like scripting language, implemented as a script engine of Active Scripting . There is a zero day vulnerability in this VBScript engine, suggesting the possibility of hacking from North Korean hackers using DarkHotel .

Zero-Day In Microsoft's VBScript Engine Used By Darkhotel APT

VBScript is a scripting engine that can be used with the latest versions of Windows and Internet Explorer 11. However, since the execution of VBScript is invalid with the browser's default setting in the latest version of Windows, it is not affected by vulnerability unless you change the setting. There are various cases where VBScript is executed, but in the case of office suite applications, for example, VBScript is executed because Internet Explorer's engine is used to render content on the web.

Security company Trend Micro discovered that the vulnerability of VBScript was exploited on the day after Microsoft updated its Windows Update in July 2018. This vulnerability was named "Use After Free memory corruption vulnerability," CVE - 2018 - 8373 ", which allows an attacker to execute shell code on the compromised computer. The vulnerability has been fixed in Windows Update of August 2018.

Today is monthly "Windows Update" day - GIGAZINE

As a result of analysis by Trend Micro security researchers about CVE - 2018 - 8373, this vulnerability was given the same obfuscation code as " CVE - 2018 - 8174 " which was found as the same VBScript vulnerability in May 2018 It is clear that there is.

From this, Trend Micro security researcher Elliott Kao pointed out that the two vulnerabilities may have the same origin. Researchers at Chinese security firm Qhooo 360 also support this idea and if the same domain name is found in the code embedded in the Office document used to download the code with vulnerability I point out .

The vulnerability CVE - 2018 - 8174 discovered in May, 2018 is known to be related to the APT - C - 06 organization that uses DarkHotel for APT attacks. "The cryptanalysis algorithm used by malware during analysis is the same as the cryptanalysis algorithm of APT-C-06," experts at Qihoo 360 point out that the same organization also has CVE-2018-8373 It may have been misused.

It has been found that DarkHotel, which exploited these vulnerabilities, is being targeted to officials of government agencies staying in luxury hotels in Asia. In addition, security companies McAfee and Intezer jointly analyzed various malware and found that this DarkHotel has a unique code that North Korea used in the past, and North Korea Is part of the malware group created for hacking.

in Software,   Security, Posted by logu_ii