- South Korean citizens were attacked by North Korean malware without clicking
- The malware used pop-up ads to install payloads.
- Keyloggers and other malicious surveillance software were also installed.
North Korean state-linked hacker ScarCruft recently carried out a large-scale cyberespionage campaign using an Internet Explorer zero-day flaw to deploy RokRAT malware, experts warned.
The group, also known as APT37 or RedEyes, is a North Korean state-sponsored hacking group known for its cyber espionage activities.
This group typically focuses on South Korean human rights activists, defectors, and political entities in Europe.
Internet Explorer zero-day flaw exploited
Over the years, ScarCruft has earned a reputation for using advanced techniques such as phishing, watering hole attacks, and exploiting zero-day vulnerabilities in software to infiltrate systems and steal sensitive information.
Their latest campaign, dubbed “Code on Toast,” was revealed in a joint report by South Korea's National Cyber Security Center (NCSC) and AhnLab (ASEC). This campaign used a unique method including pop-up ads to generate malware infections without clicking.
The innovative aspect of this campaign lies in how ScarCruft used toast notifications (small pop-up ads displayed by free antivirus software or utilities) to spread its malware.
ScarCruft compromised the server of a national advertising agency in South Korea to serve malicious “Toast ads” via popular but anonymous free software used by many South Koreans.
These malicious ads included a specially crafted iframe that activated a JavaScript file called 'ad_toast', which executed the Internet Explorer zero-day exploit. By using this no-click method, ScarCruft was able to silently infect systems without user interaction.
The high severity vulnerability in Internet Explorer used in this attack is tracked as CVE-2024-38178 and has been given a severity score of 7.5. The flaw exists in Internet Explorer's JScript9.dll file, part of its Chakra engine, and allows remote code execution if exploited. Despite the official retirement of Internet Explorer in 2022, many of its components remain embedded in Windows or third-party software, making them ripe targets for exploitation.
ScarCruft's use of the CVE-2024-38178 vulnerability in this campaign is particularly alarming because it closely resembles a previous exploit they used in 2022 for CVE-2022-41128. The only difference in the new attack is three additional lines of code designed to bypass Microsoft's previous security patches.
Once the vulnerability is exploited, ScarCruft delivers the RokRAT malware to infected systems. RokRAT is mainly used to exfiltrate sensitive data with malware targeting files with specific extensions such as .doc, .xls, .ppt and others, sending them to a Yandex cloud every 30 minutes. In addition to file exfiltration, RokRAT has monitoring capabilities, including keylogging, clipboard monitoring, and screenshot every three minutes.
The infection process consists of four stages, and each payload is injected into the 'explorer.exe' process to evade detection. If popular antivirus tools such as Avast or Symantec are found on the system, the malware is injected into a random executable from the C:Windowssystem32 folder. Persistence is maintained by placing a final payload, 'rubyw.exe', at Windows startup and scheduling it to run every four minutes.
Through beepcomputer
