North Korean hacking group ScarCruft has taken advantage of a zero-day flaw in Internet Explorer to spread a dangerous strain of malware. They were able to use infected pop-up ads in a large-scale operation that injected harmful code into unsuspecting users’ systems, targeting individuals in South Korea and Europe.
The attack is linked to a security weakness, cataloged as CVE-2024-38178, found in Internet Explorer’s code. Even though Microsoft officially retired the browser, some of its components continue to be used by various third-party applications, creating ongoing risks. ScarCruft, also referred to as Ricochet Chollima, APT37 or RedEyes, is known for focusing on espionage against political targets, particularly defectors and human rights groups. The group leveraged this vulnerability in one of their latest malware attacks.
Ad Pop-ups Used to Deliver Malware
The method of delivery in this attack was via ‘Toast‘ notifications, small pop-up windows that are commonly seen on programs installed on desktops. Rather than relying on traditional phishing or watering-hole tactics, the hackers used toast ads, usually harmless, to sneak malicious code into victims’ systems.
These ads were shown through a compromised South Korean advertising agency that delivered them via free software used by a large number of South Korean users. The ads themselves contained a hidden iframe that exploited Internet Explorer’s flaw, leading to the execution of malicious JavaScript. The malware payload was then dropped without any interaction required from the user, making it a “zero-click” attack.
ScarCruft’s Malware: RokRAT
RokRAT, the malware deployed through this method, has a long history of use by ScarCruft. It’s designed to steal sensitive information from infected systems. The malware is particularly focused on certain file types—targeting documents like .doc, .xls, and .txt files, and exfiltrates them to cloud servers controlled by the hackers. It also has additional functions that include logging keystrokes and capturing screenshots at regular intervals.
Once on the system, RokRAT goes through multiple stages to evade detection, including injecting itself into system processes. If it detects antivirus software such as Avast or Symantec, it switches to infecting other parts of the operating system to avoid removal. The malware is set to persist through system restarts, embedding itself into the Windows startup process.
Internet Explorer Code Exposes Systems
Despite Microsoft’s efforts to phase out Internet Explorer, the browser’s underlying code continues to be part of many systems today. While Microsoft did release a patch in August 2024 to fix the specific CVE-2024-38178 vulnerability, many users and software vendors have not yet updated their systems, leaving them vulnerable to this type of attack.
The problem here isn’t necessarily that users are intentionally using Internet Explorer—it’s that many applications still rely on its components, particularly its JScript9.dll file. ScarCruft took advantage of this dependency, reusing a strategy they’d previously employed in an earlier attack (CVE-2022-41128). By altering just a few lines of code, they bypassed earlier security patches.
The operation highlights the need for more stringent patch management across the tech industry. Even though the browser is no longer supported, vulnerabilities in legacy systems provide an easy entry point for threat actors to launch sophisticated attacks. The use of outdated software has now become one of the leading factors enabling large-scale malware campaigns.
Last Updated on November 7, 2024 2:27 pm CET
