Internet Explorer's scripting engine was the favorite target of a North Korean cyber-espionage group this year, after the hackers deployed two zero-days, but also crafted new exploits for two other older vulnerabilities.
The group's name is DarkHotel, a cyber-espionage group that McAfee[1] and many other cyber-security firms have already linked to the Pyongyang regime.
The group has been active since 2007, but it was publicly exposed in 2014[2] when Kaspersky published a now-infamous report detailing a complex hacking operation that involved breaching the internal WiFi networks of hundreds of hotels in order to infect high-profile guests with malware.
Despite being ousted in public reports, DarkHotel didn't stop its attacks, continuing to target victims --and most recently political figures in 2016 and 2017[3]-- with the same tactic.
But they also ran other operations. In one of them, the group --which in cyber-security circles goes by many different names such as APT-C-06, Dubnium, Fallout Team, Karba, Luder, Nemim, SIG25, and Tapaoux-- also hid malware inside a copy of North Korea's antivirus[4] sent to foreign researchers for study.
DarkHotel hackers had a fixation with Internet Explorer
But in 2018, the group has been especially active and has been seen numerous times targeting the same technology --Internet Explorer's VBScript scripting engine.
This year, researchers say DarkHotel hackers found and exploited a first IE zero-day[5] (CVE-2018-8174[6]) in April, and then a second[7] (CVE-2018-8373[8]) in August. Microsoft patched both, in May and September, respectively.
But according to a new report[9] published today, researchers at Qihoo 360 Core say the group has also created new exploits for two older IE