North Korean hackers target South Korea with Internet Explorer vulnerabilities to deploy RokRAT malware
- South Korean citizens were hit by zero-click malware from the North
- The malware used pop-up advertisements to install payloads
- Keyloggers and other malicious surveillance software were also installed
North Korean state hacker ScarCruft recently carried out a massive cyber espionage campaign using a zero-day flaw in Internet Explorer to deploy RokRAT malware, experts warn.
The group, also known as APT37 or RedEyes, is a North Korean state-sponsored hacking group known for cyber espionage activities.
This group typically targets South Korean human rights activists, defectors and political entities in Europe.
Zero-Day bug exploited in Internet Explorer
Over the years, ScarCruft has built a reputation for using advanced techniques such as phishing, watering hole attacks, and exploiting zero-day vulnerabilities in software to infiltrate systems and steal sensitive information.
Their latest campaign, called ‘Code on Toast’, was revealed in a joint report by South Korea’s National Cyber Security Center (NCSC) and AhnLab (ASEC). This campaign used a unique pop-up advertising method to generate zero-click malware infections.
The innovative aspect of this campaign lies in the way ScarCruft used toast notifications – small pop-up ads displayed by antivirus software or free tools – to spread their malware.
ScarCruft compromised the server of a domestic advertising agency in South Korea to redirect malicious “Toast ads” through popular but unnamed free software used by many South Koreans.
These malicious ads contained a specially crafted iframe that triggered a JavaScript file called ‘ad_toast’, which executed the Internet Explorer zero-day exploit. By using this zero-click method, ScarCruft was able to silently infect systems without user interaction.
The high-severity Internet Explorer vulnerability used in this attack is tracked as CVE-2024-38178 and has received a severity score of 7.5. The flaw is in Internet Explorer’s JScript9.dll file, part of the Chakra engine, and allows remote code execution if exploited. Despite Internet Explorer’s official retirement in 2022, many of its components remain embedded in Windows or third-party software, making them a ripe target for exploitation.
ScarCruft’s use of the CVE-2024-38178 vulnerability in this campaign is particularly alarming because it is very similar to a previous exploit they used in 2022 for CVE-2022-41128. The only difference in the new attack is three additional lines of code designed to bypass Microsoft’s previous security patches.
Once the vulnerability is exploited, ScarCruft delivers RokRAT malware to the infected systems. RokRAT is mainly used to exfiltrate sensitive data, with the malware targeting files with specific extensions such as .doc, .xls, .ppt and others, sending them to a Yandex cloud every 30 minutes. In addition to file exfiltration, RokRAT has monitoring capabilities including keylogging, clipboard monitoring, and capturing screenshots every three minutes.
The infection process consists of four phases, with each payload injected into the ‘explorer.exe’ process to evade detection. If popular antivirus programs such as Avast or Symantec are found on the system, the malware is injected into a random executable file from the C:Windowssystem32 folder instead. Persistence is maintained by placing a final payload, ‘rubyw.exe’, at Windows startup and scheduling it every four minutes.
Via BleepingComputer