North Korean Group ScarCruft Exploits Windows Zero-Day to Disseminate RokRAT Malware

October 16, 2024

ScarCruft, a North Korean threat actor, has been associated with exploiting a zero-day vulnerability in Windows to infect devices with RokRAT malware. This exploit, known as CVE-2024-38178, is a memory corruption bug in the Scripting Engine that could lead to remote code execution when using the Edge browser in Internet Explorer Mode. Microsoft patched this vulnerability as part of its August 2024 Patch Tuesday updates.

However, successful exploitation of this vulnerability requires a user to click on a specially crafted URL, triggering the execution of malicious code. The AhnLab Security Intelligence Center (ASEC) and the National Cyber Security Center (NCSC) of South Korea discovered and reported this flaw, labeling the activity cluster as Operation Code on Toast. ScarCruft is tracked by these organizations under the alias TA-RedAnt, but is also known by other names such as APT37, InkySquid, Reaper, Ricochet Chollima, and Ruby Sleet in the broader cybersecurity community.

The zero-day attack is unique due to its exploitation of a specific 'toast' advertisement program typically bundled with various free software. 'Toast' ads in Korea are pop-up notifications that appear at the bottom of the PC screen. The South Korean cybersecurity firm documented an attack chain where the threat actors compromised the server of an unidentified domestic advertising agency. The aim was to inject exploit code into the script of the advertisement content. The vulnerability was triggered when the toast program downloaded and rendered the compromised content from the server.

ASEC and NCSC provided a joint threat analysis report stating, 'The attacker targeted a specific toast program that utilizes an unsupported [Internet Explorer] module to download advertisement content. This vulnerability causes the JavaScript Engine of IE (jscript9.dll) to improperly interpret data types, resulting in a type confusion error. The attacker exploited this vulnerability to infect PCs with the vulnerable toast program installed. Once infected, PCs were subjected to various malicious activities, including remote access.'

The latest RokRAT version can enumerate files, terminate arbitrary processes, execute commands received from a remote server, and collect data from various applications such as KakaoTalk, WeChat, and browsers like Chrome, Edge, Opera, Naver Wales, and Firefox. RokRAT stands out for its use of legitimate cloud services like Dropbox, Google Cloud, pCloud, and Yandex Cloud as its command-and-control server, thus blending in with regular traffic in enterprise environments.

ScarCruft has a history of exploiting vulnerabilities in legacy browsers to deliver subsequent malware, including CVE-2020-1380 and CVE-2022-41128. As North Korean hacking organizations advance technologically, they are exploiting various vulnerabilities beyond Internet Explorer. Therefore, users are advised to regularly update their operating system and software security.

Related News

• Microsoft's August 2024 Patch Tuesday Addresses Nine Zero-Days, Six Currently Exploited

Latest News

• Critical Vulnerability in GitHub Enterprise Server Addressed
• China Denounces U.S. Claims of Volt Typhoon Cyber Espionage, Alleges Fabrication
• Nation-State Threat Actors Exploit Ivanti CSA Zero-Day Vulnerabilities
• CISA Updates Known Exploited Vulnerabilities Catalog with Ivanti CSA and Fortinet Products Bugs
• Iran's APT34 Intensifies Cyberattacks Exploiting Windows Flaw