The North Korean threat actor known as ScarCruft was linked to exploiting a Windows zero-day patched security flaw to infect devices with malware known as RockRAT.
The vulnerability in question CVE-2024-38178 (CVSS Score: 7.5), a memory corruption bug in the scripting engine that could lead to remote code execution when using the Edge browser in Internet Explorer mode. It was patched up from Microsoft as part of the August 2024 Patch Tuesday updates.
However, for successful exploitation, an attacker must convince a user to click on a specially crafted URL to start executing malicious code.
The AhnLab Security Intelligence Center (ASEC) and the National Cyber Security Center (NCSC) of the Republic of Korea, which are credited with discovering and reporting the flaw, appointed activity cluster name Operation code on Toast.
Organizations track ScarCruft under the alias TA-RedAnt, formerly known as RedEyes. It is also known in the wider cyber security community as APT37, InkySquid, Reaper, Ricochet Chollima and Ruby Sleet.
The zero-day attack “is characterized by the use of a special ‘toast’ adware that is commonly bundled with various free software,” ASEC said in a statement shared by The Hacker News. “Toast ads in Korea mean pop-up notifications that appear at the bottom of the PC screen, usually in the lower right corner.”
A chain of attacks documented by a South Korean cybersecurity firm shows that threat actors compromised the server of an unnamed domestic advertising agency that supplies content for promotional toasts in order to inject exploit code into the advertising content script.
The vulnerability is said to be triggered when the toast program downloads and displays mined content from a server.
“The attacker targeted a specific toast program that uses an unsupported module (Internet Explorer) to download advertising content,” according to a joint ASEC and NCSC threat analysis.
“This vulnerability causes IE’s JavaScript Engine (jscript9.dll) to incorrectly interpret data types, resulting in a type confusion error. An attacker used this vulnerability to infect a PC with a vulnerable toast program. Once infected, PCs were exposed to various malicious activities, including remote access.”
The latest version of RokRAT is capable of listing files, terminating arbitrary processes, receiving and executing commands received from a remote server, and collecting data from various applications such as KakaoTalk, WeChat, and browsers such as Chrome, Edge, Opera, Naver Wales, and Firefox.
RokRAT is also notable for using legitimate cloud services such as Dropbox, Google Cloud, pCloud, and Yandex Cloud as its management and control server, allowing it to blend in with normal traffic in corporate environments.
This isn’t the first time ScarCruft has used vulnerabilities in an outdated browser to create the following malware. In recent years, it has been put into operation CVE-2020-1380another lack of memory in the Scripting Engine, and CVE-2022-41128remote code execution vulnerability in Windows scripting languages.
“The technological level of North Korean hacking organizations has become more advanced, and they are exploiting various vulnerabilities in addition to (Internet Explorer),” the report said. “Accordingly, users should update their operating system and software security.”
