- South Korean citizens were hit with a zero-click malware from the North
- The malware used pop-up ads to install payloads
- Keyloggers and other malicious surveillance software was also installed
North Korean state-linked hacker ScarCruft recently conducted a large-scale cyber-espionage campaign using an Internet Explorer zero-day flaw to deploy RokRAT malware, experts have warned.
The group, also known as APT37 or RedEyes, is a North Korean state-sponsored hacking group known for cyber-espionage activities.
This group typically focuses on South Korean human rights activists, defectors, and political entities in Europe.
Internet Explorer Zero-Day flaw exploited
Over the years, ScarCruft has developed a reputation for using advanced techniques such as phishing, watering hole attacks, and exploiting zero-day vulnerabilities in software to infiltrate systems and steal sensitive information.
Their latest campaign, dubbed “Code on Toast,” was revealed in a joint report by South Korea’s National Cyber Security Center (NCSC) and AhnLab (ASEC). This campaign used a unique method involving toast pop-up ads to deliver zero-click malware infections.
The innovative aspect of this campaign lies in how ScarCruft used toast notifications – small pop-up ads displayed by antivirus software or free utility programs – to spread their malware.
ScarCruft compromised a domestic advertising agency’s server in South Korea to push malicious “Toast ads” through a popular but unnamed free software used by many South Koreans.
These malicious ads included a specially crafted iframe that triggered a JavaScript file named ‘ad_toast,’ which executed the Internet Explorer zero-day exploit. By using this zero-click method, ScarCruft was able to silently infect systems without user interaction.
The high-severity vulnerability in Internet Explorer used in this attack is tracked as CVE-2024-38178 and has been given a severity score of 7.5. The flaw exists in Internet Explorer’s JScript9.dll file, part of its Chakra engine, and allows remote code execution if exploited. Despite Internet Explorer’s official retirement in 2022, many of its components remain embedded in Windows or third-party software, making them ripe targets for exploitation.
ScarCruft’s use of the CVE-2024-38178 vulnerability in this campaign is particularly alarming because it closely resembles a previous exploit they used in 2022 for CVE-2022-41128. The only difference in the new attack is an additional three lines of code designed to bypass Microsoft’s earlier security patches.
Once the vulnerability is exploited, ScarCruft delivers RokRAT malware to the infected systems. RokRAT is primarily used to exfiltrate sensitive data with the malware targeting files with specific extensions like .doc, .xls, .ppt, and others, sending them to a Yandex cloud every 30 minutes. In addition to file exfiltration, RokRAT has surveillance capabilities, including keylogging, clipboard monitoring, and screenshot capture every three minutes.
The infection process consists of four stages, with each payload injected into the ‘explorer.exe’ process to evade detection. If popular antivirus tools like Avast or Symantec are found on the system, the malware is instead injected into a random executable from the C:\Windows\system32 folder. Persistence is maintained by placing a final payload, ‘rubyw.exe,’ in the Windows startup and scheduling it to run every four minutes.
Via BleepingComputer
