In a startling revelation, cybersecurity experts have uncovered a large-scale attack orchestrated by the North Korean hacking group ScarCruft in May 2024. The attackers leveraged a previously unknown vulnerability in Internet Explorer to infect target computers with the RokRAT malware, enabling the theft of sensitive data. This information comes from a joint report by South Korea’s National Cyber Security Center (NCSC) and AhnLab Security Emergency Response Center (ASEC).
ScarCruft’s Tactics and the “Code on Toast” Campaign
ScarCruft, also known as APT37, InkySquid, and RedEyes, is a notorious cybercrime group specializing in espionage. Their latest campaign, dubbed “Code on Toast,” showcases a sophisticated approach using advertising toast notifications to conduct zero-click attacks. These notifications, typically used for displaying messages or advertisements, became a vector for malware distribution.
Exploiting CVE-2024-38178: A Critical Vulnerability
At the heart of this attack lies the exploitation of CVE-2024-38178, a type confusion vulnerability in Internet Explorer. This flaw allowed attackers to execute remote code on targeted machines. Notably, ScarCruft’s exploit bears a striking resemblance to one used previously for CVE-2022-41128, with only minor modifications to bypass Microsoft’s earlier patches.
Infection Mechanism and Malware Propagation
According to AhnLab, the attackers compromised an advertising agency’s server to distribute malicious toast advertisements through popular free software in South Korea. This software utilized an outdated IE module to load advertising content, inadvertently facilitating the attack.
The malicious ads contained an iframe that, when rendered in Internet Explorer, triggered a JavaScript file named ad_toast. This script exploited the CVE-2024-38178 vulnerability in the browser’s JScript9.dll file, leading to the infection of the victim’s machine with the RokRAT trojan.
RokRAT: A Multifaceted Threat
RokRAT, a tool long favored by ScarCruft, is a versatile piece of malware with capabilities including:
- File theft targeting specific extensions (.doc, .mdb, .xls, .ppt, .txt, .amr, etc.)
- Keylogging and clipboard monitoring
- Regular screenshot capture
- Process management on infected machines
- Command execution from operators
- Data collection from various applications (KakaoTalk, WeChat) and browsers
Mitigating Risks in the Post-IE Era
Despite Microsoft officially ending support for Internet Explorer in mid-2022, many of its components remain active in Windows and third-party software, creating potential attack vectors. While Microsoft patched CVE-2024-38178 in August 2024, the fix may not immediately propagate to all software using legacy IE components.
To minimize risks, cybersecurity experts recommend regular software updates, use of modern browsers and security tools, and caution when interacting with advertising content and pop-up notifications. Organizations should audit their software for outdated Internet Explorer components and phase them out where possible. Maintaining vigilance and adopting a proactive approach to cybersecurity remains crucial in safeguarding against sophisticated threats like those posed by ScarCruft and other advanced persistent threat groups.
