North Korean hackers target South Korea with Internet Explorer 
vulnerabilities to deploy RokRAT malware

Date:
Sun, 08 Dec 2024 22:12:00 +0000

Description:
North Korean hacker intensifies cyber-espionage efforts by targeting media
organizations and experts in South Korean affairs.

FULL STORY

North Korean state-linked hacker ScarCruft recently conducted a large-scale
cyber-espionage campaign using an Internet Explorer zero-day flaw to deploy
RokRAT malware , experts have warned. 

The group, also known as APT37 or RedEyes, is a North Korean state-sponsored
hacking group known for cyber-espionage activities. 

This group typically focuses on South Korean human rights activists,
defectors, and political entities in Europe.

Internet Explorer Zero-Day flaw exploited

Over the years, ScarCruft has developed a reputation for using advanced
techniques such as phishing, watering hole attacks, and exploiting zero-day
vulnerabilities in software to infiltrate systems and steal sensitive
information. 

Their latest campaign, dubbed "Code on Toast," was revealed in a joint report
by South Korea's National Cyber Security Center (NCSC) and AhnLab (ASEC). 
This campaign used a unique method involving toast pop-up ads to deliver
zero-click malware infections. 

The innovative aspect of this campaign lies in how ScarCruft used toast
notifications - small pop-up ads displayed by antivirus software or free
utility programs - to spread their malware. 

ScarCruft compromised a domestic advertising agencys server in South Korea to
push malicious "Toast ads" through a popular but unnamed free software used 
by many South Koreans. 

These malicious ads included a specially crafted iframe that triggered a
JavaScript file named ad_toast, which executed the Internet Explorer zero-day
exploit. By using this zero-click method, ScarCruft was able to silently
infect systems without user interaction. 

The high-severity vulnerability in Internet Explorer used in this attack is
tracked as CVE-2024-38178 and has been given a severity score of 7.5. The 
flaw exists in Internet Explorers JScript9.dll file, part of its Chakra
engine, and allows remote code execution if exploited. Despite Internet
Explorers official retirement in 2022, many of its components remain embedded
in Windows or third-party software, making them ripe targets for 
exploitation. 

ScarCrufts use of the CVE-2024-38178 vulnerability in this campaign is
particularly alarming because it closely resembles a previous exploit they
used in 2022 for CVE-2022-41128. The only difference in the new attack is an
additional three lines of code designed to bypass Microsofts earlier security
patches. 

Once the vulnerability is exploited, ScarCruft delivers RokRAT malware to the
infected systems. RokRAT is primarily used to exfiltrate sensitive data with
the malware targeting files with specific extensions like .doc, .xls, .ppt,
and others, sending them to a Yandex cloud every 30 minutes. In addition to
file exfiltration, RokRAT has surveillance capabilities, including 
keylogging, clipboard monitoring, and screenshot capture every three minutes. 

The infection process consists of four stages, with each payload injected 
into the explorer.exe process to evade detection. If popular antivirus tools
like Avast or Symantec are found on the system, the malware is instead
injected into a random executable from the C:\Windows\system32 folder.
Persistence is maintained by placing a final payload, rubyw.exe, in the
Windows startup and scheduling it to run every four minutes. 

Via BleepingComputer

======================================================================
Link to news story:
https://www.techradar.com/pro/North-Korean-hackers-target-South-Korea-with-int
ernet-Explorer-vulnerabilities-to-deploy-RokRAT-malware

$$
--- SBBSecho 3.20-Linux