ScarCruft’s Exploitation of Windows Vulnerability
The notorious North Korean cyber group, ScarCruft, has recently been implicated in the exploitation of a zero-day vulnerability in Windows, specifically targeting a flaw now patched by Microsoft. This vulnerability, identified as CVE-2024-38178, boasts a CVSS score of 7.5 and is a memory corruption issue within the Scripting Engine. It poses a significant risk, allowing for remote code execution when users engage with the Edge browser in Internet Explorer Mode.
To successfully exploit this vulnerability, attackers must entice users into clicking on a carefully crafted URL, which then triggers the execution of malicious code. Microsoft addressed this critical flaw during its Patch Tuesday updates in August 2024.
The AhnLab Security Intelligence Center (ASEC) and the National Cyber Security Center (NCSC) of South Korea, which played pivotal roles in discovering and reporting this vulnerability, have dubbed the related activities “Operation Code on Toast.” ScarCruft operates under the designation TA-RedAnt, previously known as RedEyes, and is recognized in the broader cybersecurity landscape by various aliases, including APT37, InkySquid, Reaper, Ricochet Chollima, and Ruby Sleet.
ASEC elaborated that this zero-day attack is characterized by the exploitation of a specific ‘toast’ advertisement program, commonly bundled with various free software. In South Korea, ‘toast’ ads refer to pop-up notifications that appear at the bottom right corner of the PC screen.
The attack chain, meticulously documented by ASEC, reveals that the threat actors compromised the server of an unnamed domestic advertising agency responsible for supplying content to these toast ads. Their objective was to inject exploit code into the advertisement scripts.
According to the joint threat analysis report from ASEC and NCSC, the vulnerability was triggered when the toast program downloaded and rendered the compromised content from the server. The attackers specifically targeted a toast program utilizing an unsupported Internet Explorer module to fetch advertisement content. This exploitation led to a type confusion error within the JavaScript Engine of Internet Explorer (jscript9.dll), allowing the attackers to infect PCs that had the vulnerable toast program installed. Once compromised, these PCs were subjected to a range of malicious activities, including remote access.
The latest iteration of RokRAT, the malware associated with this attack, exhibits advanced capabilities such as file enumeration, arbitrary process termination, command execution from a remote server, and data gathering from various applications, including KakaoTalk, WeChat, and popular web browsers like Chrome, Edge, Opera, Naver Wales, and Firefox.
RokRAT stands out for its use of legitimate cloud services, including Dropbox, Google Cloud, pCloud, and Yandex Cloud, as command-and-control servers. This clever tactic allows it to blend seamlessly with regular traffic within enterprise environments, complicating detection efforts.
This incident is not an isolated occurrence; ScarCruft has a history of weaponizing vulnerabilities in legacy browsers to deploy follow-on malware. The group has previously exploited CVE-2020-1380, another memory corruption flaw in the Scripting Engine, as well as CVE-2022-41128, a remote code execution vulnerability in Windows Scripting Languages.
As the technological sophistication of North Korean hacking organizations continues to evolve, they are increasingly exploiting a wider array of vulnerabilities beyond just Internet Explorer. Experts advise users to ensure their operating systems and software are regularly updated to mitigate such risks.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
