In May of 2020, Kaspersky identified and stopped an attack on a South Korean business. This particular attack leveraged two previously undisclosed zero-day vulnerabilities in Internet Explorer and Windows.
- CVE-2020-0986 – Elevation of privilege exploit
- CVE-2020-1380 – Use-after-free vulnerability
CVE-2020-1380 is one of four recently discovered vulnerabilities in jscript.dll. This particular exploit references already freed memory to execute code and in this case, load a second stage DLL. The second stage DLL is a reflective loader that drops an exe called “ok.exe” into a temporary folder and executes it. Ok.exe takes advantage of CVE-2020-0986, which is related to the Print Spooler API, in order to elevate privileges. Kaspersky believes that these attacks are attributed to the DarkHotel threat group.