North Korean ScarCruft Exploits Windows Zero-Day to Disseminate RokRAT Malware
The North Korean threat actor ScarCruft, famously known for exploiting software vulnerabilities, has been tied to the exploitation of a newly-patched security flaw in Windows to distribute the RokRAT malware.
The specific vulnerability, identified as CVE-2024-38178 (with a CVSS score of 7.5), is a memory-related bug in the Scripting Engine that could lead to remote code execution when utilizing the Edge browser in Internet Explorer Mode. Microsoft issued a security patch for it as part of the August 2024 Patch Tuesday updates.
To successfully exploit this vulnerability, perpetrators must persuade a user to click on a carefully crafted URL, triggering the execution of malicious code.
The discovery and report of this security flaw were credited to the AhnLab Security Intelligence Center (ASEC) and the National Cyber Security Center (NCSC) of the Republic of Korea. They have labeled the malicious activity cluster as Operation Code on Toast.
ScarCruft, also referred to as TA-RedAnt and previously known as RedEyes, has a known presence in the cybersecurity landscape, being recognized as APT37, InkySquid, Reaper, Ricochet Chollima, and Ruby Sleet.
The zero-day exploit involves the manipulation of a specific ‘toast’ advertising application commonly bundled with various freeware. ‘Toast’ ads refer to pop-up alerts at the bottom of PC screens, particularly in the lower-right corner, as detailed in a statement by ASEC to The Hacker News.
The attack flow outlined by the South Korean cybersecurity organization indicates that the threat actors compromised the server of a domestic advertising agency that supplies content for the toast ads, aiming to inject exploit code into the advertisement content script.
This vulnerability was exploited when the toast program fetched and displayed the malicious content from the server.
“The attacker targeted an unsupported [Internet Explorer] module utilized by a specific toast program to download ad content,” noted ASEC and NCSC in a collaborative threat analysis report.
“The flaw causes the JavaScript Engine of IE (jscript9.dll) to misinterpret data types, resulting in a type confusion error. Exploiting this vulnerability allowed the hackers to infect PCs with the vulnerable toast program. Once infected, the PCs were subjected to various malicious activities, including remote access.”
The latest iteration of RokRAT is capable of scanning files, stopping various processes, executing commands received from a remote server, and collecting data from applications such as KakaoTalk, WeChat, as well as browsers like Chrome, Edge, Opera, Naver Wales, and Firefox.
RokRAT stands out for leveraging legitimate cloud services like Dropbox, Google Cloud, pCloud, and Yandex Cloud as its command-and-control server, enabling it to blend in with regular traffic within corporate networks.
This isn’t the first instance where ScarCruft has employed software vulnerabilities in outdated browsers to distribute subsequent malware strains. Over the years, ScarCruft has been linked to the exploitation of CVE-2020-1380, a memory corruption flaw in the Scripting Engine, and CVE-2022-41128, a remote code execution flaw in Windows Scripting Languages.
“North Korean hacking capabilities have advanced significantly, leading them to exploit numerous vulnerabilities aside from [Internet Explorer],” the report emphasized. “Users should therefore ensure their operating systems and software are up to date.”
About Author
