The North Korean risk actor generally known as ScarCruft has been linked to the zero-day exploitation of a now-patched safety flaw in Home windows to contaminate gadgets with malware generally known as RokRAT.
The vulnerability in query is CVE-2024-38178 (CVSS rating: 7.5), a reminiscence corruption bug within the Scripting Engine that might lead to distant code execution when utilizing the Edge browser in Web Explorer Mode. It was patched by Microsoft as a part of its Patch Tuesday updates for August 2024.
Nonetheless, profitable exploitation requires an attacker to persuade a person to click on on a specifically crafted URL so as to provoke the execution of malicious code.
The AhnLab Safety Intelligence Heart (ASEC) and the Nationwide Cyber Security Heart (NCSC) of the Republic of Korea, which had been credited with discovering and reporting the shortcoming, have assigned the exercise cluster the identify Operation Code on Toast.
The organizations are monitoring ScarCruft below the moniker TA-RedAnt, which was beforehand known as RedEyes. It is also recognized within the wider cybersecurity neighborhood below the names APT37, InkySquid, Reaper, Ricochet Chollima, and Ruby Sleet.
The zero-day assault is “characterized by the exploitation of a specific ‘toast’ advertisement program that is commonly bundled with various free software,” ASEC stated in a press release shared with The Hacker Information. “‘Toast’ ads, in Korea, refers to pop-up notifications that appear at the bottom of the PC screen, typically in the lower-right corner.”
The assault chain documented by the South Korean cybersecurity agency exhibits that the risk actors compromised the server of an unnamed home promoting company that provides content material to the toast adverts with the objective of injecting exploit code into the script of the commercial content material.
The vulnerability is alleged to have been triggered when the toast program downloads and renders the booby-trapped content material from the server.
“The attacker focused a particular toast program that makes use of an unsupported [Internet Explorer] module to obtain commercial content material, ASEC and NCSC stated in a joint risk evaluation report.
“This vulnerability causes the JavaScript Engine of IE (jscript9.dll) to improperly interpret data types, resulting in a type confusion error. The attacker exploited this vulnerability to infect PCs with the vulnerable toast program installed. Once infected, PCs were subjected to various malicious activities, including remote access.”
The newest model of RokRAT is able to enumerating recordsdata, terminating arbitrary processes, receiving and executing instructions acquired from a distant server, and gathering knowledge from varied purposes resembling KakaoTalk, WeChat, and browsers like Chrome, Edge, Opera, Naver Wales, and Firefox.
RokRAT can also be notable for utilizing professional cloud providers like Dropbox, Google Cloud, pCloud, and Yandex Cloud as its command-and-control server, thereby permitting it to mix in with common visitors in enterprise environments.
This isn’t the primary time ScarCruft has weaponized vulnerabilities within the legacy browser to ship follow-on malware. In recent times, it has been attributed to the exploitation of CVE-2020-1380, one other reminiscence corruption flaw in Scripting Engine, and CVE-2022-41128, a distant code execution vulnerability in Home windows Scripting Languages.
“The technological level of North Korean hacking organizations has become more advanced, and they are exploiting various vulnerabilities in addition to [Internet Explorer],” the report stated. “Accordingly, users should update their operating system and software security.”
