North Korean Cyber Group Exploits Windows Zero-Day to Spread RokRAT Malware
In a new wave of cyberattacks, the North Korean hacking group ScarCruft has been linked to the exploitation of a zero-day vulnerability in Windows. This flaw allowed attackers to spread a dangerous malware known as RokRAT. Despite being patched, the vulnerability, identified as CVE-2024-38178, exposed systems using Microsoft's Edge browser in Internet Explorer Mode.
Table of Contents
The Vulnerability: CVE-2024-38178
The CVE-2024-38178 vulnerability is a memory corruption issue in the Scripting Engine of Internet Explorer Mode. With a CVSS score of 7.5, it posed a severe security risk. If exploited, the flaw enabled remote code execution on compromised machines. This required the attacker to trick the user into clicking on a malicious URL. Once this action was performed, malicious code would execute, leaving the system vulnerable.
Microsoft addressed the flaw in its August 2024 Patch Tuesday updates. However, before the patch, ScarCruft successfully leveraged the vulnerability to spread malware, specifically targeting users in South Korea. The AhnLab Security Intelligence Center (ASEC) and the National Cyber Security Center (NCSC) of South Korea discovered and reported the flaw. They dubbed the campaign "Operation Code on Toast."
ScarCruft’s Attack Strategy
ScarCruft, also known by other aliases such as APT37, RedEyes, and InkySquid, is notorious for exploiting vulnerabilities in outdated or unsupported software. This time, their strategy involved a toast advertisement program commonly used in South Korea. These "toast" ads refer to pop-up notifications that appear in the lower-right corner of the screen.
In this case, the attackers compromised a domestic advertising agency’s server. They injected exploit code into the script that powered the toast ads, which then downloaded and rendered booby-trapped content. The content triggered the vulnerability, specifically targeting Internet Explorer’s JavaScript Engine (jscript9.dll).
The Role of RokRAT Malware
Once the vulnerability was exploited, ScarCruft installed RokRAT malware on infected machines. RokRAT is a versatile and dangerous malware capable of several actions:
- Collecting data from apps like KakaoTalk, WeChat, and browsers such as Chrome, Edge, Opera, and Firefox.
- Terminating processes.
- Executing commands from a remote server.
- Interacting with files.
One of the notable aspects of RokRAT is its use of legitimate cloud services like Dropbox, Google Cloud, and Yandex Cloud as command-and-control (C2) servers. This allows the malware to blend in with normal network traffic, making it difficult to detect in enterprise environments.
Previous Exploits by ScarCruft
ScarCruft has a history of exploiting vulnerabilities, especially in the Scripting Engine of Internet Explorer. In the past, they were linked to the exploitation of CVE-2020-1380 and CVE-2022-41128. These vulnerabilities, like CVE-2024-38178, allowed for remote code execution and were similarly used to spread malware.
Defense and Recommendations
Cybersecurity experts warn that North Korean threat actors have become more sophisticated in recent years. They are now targeting a wider range of vulnerabilities, not just in Internet Explorer but across various software systems.
To protect against similar attacks, organizations and individuals should:
- Regularly update operating systems and software.
- Install the latest security patches.
- Exercise caution when clicking on URLs, especially in pop-up ads.
By keeping systems updated and being aware of suspicious links, users can mitigate the risks posed by groups like ScarCruft.