HQ/EMEAFind out how we can help your business
North Korea’s advanced persistent threat group, ScarCruft, launched a massive cyberattack earlier this year using an Internet Explorer zero-day flaw.
According to reports, the APT group has used the zero-day exploit to infect its targets with the RokRAT malware and steal information.
The ScarCruft cyberespionage group’s new campaign is called Code on Toast.
A joint report from various researchers referred to ScarCruft group’s new campaign, Code on Toast, as it uses toast pop-up advertising to accomplish zero-click malware infections. The flaw in question is CVE-2024-38178, a high-severity vulnerability in Internet Explorer.
Microsoft launched an update to address the bug last August. However, the researchers discovered that the group’s exploit was identical to the one they used previously for CVE-2022-41128. The only difference was that three lines of code were meant to circumvent Microsoft’s earlier remedies.
The researchers explained that the Toast notifications are pop-ups in the corner of software such as AV or free utility apps. In addition, the group accessed one of a domestic advertising agency’s servers to deploy specially modified ‘Toast adverts’ on undisclosed free software popular among South Koreans.
Furthermore, these malvertisements contained a hostile iframe that, once a user views it using Internet Explorer, causes a JavaScript file called ‘ad_toast’ to execute remote malware using the CVE-2024-39178 flaw.
The malware used in this attack is a RokRAT variant that the threat group has been deploying in attacks for several years.
RokRAT’s principal function is to exfiltrate files with 20 extensions to a Yandex cloud instance every 30 minutes. The malware can also log keystrokes, monitor clipboard changes, and take snapshots.
This campaign’s infection process includes at least four stages. First, the attack injects an equal number of payloads into the explorer.exe process to avoid detection by security measures. However, if the campaign spots a particular AV solution in the compromised system, it will inject the malware into a random executable from the C:\Windows\system32 folder.
The campaign includes a final payload in the Windows startup and registers it for execution in the system scheduler every four minutes to establish persistence.
Hackers can still execute these campaigns despite Microsoft’s announcement that they will stop supporting Internet Explorer in mid-2022. Many browser components remain in Windows or are used by third-party applications, so hackers can still look for new exploitable vulnerabilities.
