Cyber Defense Advisors

North Korean ScarCruft Exploits Windows Zero-Day to Spread RokRAT Malware

The North Korean threat actor known as ScarCruft has been linked to the zero-day exploitation of a now-patched security flaw in Windows to infect devices with malware known as RokRAT.

The vulnerability in question is CVE-2024-38178 (CVSS score: 7.5), a memory corruption bug in the Scripting Engine that could result in remote code execution when using the Edge browser in Internet Explorer Mode. It was patched by Microsoft as part of its Patch Tuesday updates for August 2024.

However, successful exploitation requires an attacker to convince a user to click on a specially crafted URL in order to initiate the execution of malicious code.

The AhnLab Security Intelligence Center (ASEC) and the National Cyber Security Center (NCSC) of the Republic of Korea, which were credited with discovering and reporting the shortcoming, have assigned the activity cluster the name Operation Code on Toast.

The organizations are tracking ScarCruft under the moniker TA-RedAnt, which was previously referred to as RedEyes. It’s also known in the wider cybersecurity community under the names APT37, InkySquid, Reaper, Ricochet Chollima, and Ruby Sleet.

The zero-day attack is “characterized by the exploitation of a specific ‘toast’ advertisement program that is commonly bundled with various free software,” ASEC said in a statement shared with The Hacker News. “‘Toast’ ads, in Korea, refers to pop-up notifications that appear at the bottom of the PC screen, typically in the lower-right corner.”

The attack chain documented by the South Korean cybersecurity firm shows that the threat actors compromised the server of an unnamed domestic advertising agency that supplies content to the toast ads with the goal of injecting exploit code into the script of the advertisement content.

The vulnerability is said to have been triggered when the toast program downloads and renders the booby-trapped content from the server.

“The attacker targeted a specific toast program that utilizes an unsupported [Internet Explorer] module to download advertisement content, ASEC and NCSC said in a joint threat analysis report.

“This vulnerability causes the JavaScript Engine of IE (jscript9.dll) to improperly interpret data types, resulting in a type confusion error. The attacker exploited this vulnerability to infect PCs with the vulnerable toast program installed. Once infected, PCs were subjected to various malicious activities, including remote access.”

The latest version of RokRAT is capable of enumerating files, terminating arbitrary processes, receiving and executing commands received from a remote server, and gathering data from various applications such as KakaoTalk, WeChat, and browsers like Chrome, Edge, Opera, Naver Wales, and Firefox.

RokRAT is also notable for using legitimate cloud services like Dropbox, Google Cloud, pCloud, and Yandex Cloud as its command-and-control server, thereby allowing it to blend in with regular traffic in enterprise environments.

This is not the first time ScarCruft has weaponized vulnerabilities in the legacy browser to deliver follow-on malware. In recent years, it has been attributed to the exploitation of CVE-2020-1380, another memory corruption flaw in Scripting Engine, and CVE-2022-41128, a remote code execution vulnerability in Windows Scripting Languages.

“The technological level of North Korean hacking organizations has become more advanced, and they are exploiting various vulnerabilities in addition to [Internet Explorer],” the report said. “Accordingly, users should update their operating system and software security.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.