North Korean hackers target South Korea with Internet Explorer
vulnerabilities to deploy RokRAT malware
Date:
Sun, 08 Dec 2024 22:12:00 +0000
Description:
North Korean hacker intensifies cyber-espionage efforts by targeting media organizations and experts in South Korean affairs.
FULL STORY
North Korean state-linked hacker ScarCruft recently conducted a large-scale cyber-espionage campaign using an Internet Explorer zero-day flaw to deploy RokRAT malware , experts have warned.
The group, also known as APT37 or RedEyes, is a North Korean state-sponsored hacking group known for cyber-espionage activities.
This group typically focuses on South Korean human rights activists,
defectors, and political entities in Europe.
Internet Explorer Zero-Day flaw exploited
Over the years, ScarCruft has developed a reputation for using advanced techniques such as phishing, watering hole attacks, and exploiting zero-day vulnerabilities in software to infiltrate systems and steal sensitive information.
Their latest campaign, dubbed "Code on Toast," was revealed in a joint report by South Korea's National Cyber Security Center (NCSC) and AhnLab (ASEC).
This campaign used a unique method involving toast pop-up ads to deliver zero-click malware infections.
The innovative aspect of this campaign lies in how ScarCruft used toast notifications - small pop-up ads displayed by antivirus software or free utility programs - to spread their malware.
ScarCruft compromised a domestic advertising agencys server in South Korea to push malicious "Toast ads" through a popular but unnamed free software used
by many South Koreans.
These malicious ads included a specially crafted iframe that triggered a JavaScript file named ad_toast, which executed the Internet Explorer zero-day exploit. By using this zero-click method, ScarCruft was able to silently
infect systems without user interaction.
The high-severity vulnerability in Internet Explorer used in this attack is tracked as CVE-2024-38178 and has been given a severity score of 7.5. The
flaw exists in Internet Explorers JScript9.dll file, part of its Chakra
engine, and allows remote code execution if exploited. Despite Internet Explorers official retirement in 2022, many of its components remain embedded in Windows or third-party software, making them ripe targets for
exploitation.
ScarCrufts use of the CVE-2024-38178 vulnerability in this campaign is particularly alarming because it closely resembles a previous exploit they
used in 2022 for CVE-2022-41128. The only difference in the new attack is an additional three lines of code designed to bypass Microsofts earlier security patches.
Once the vulnerability is exploited, ScarCruft delivers RokRAT malware to the infected systems. RokRAT is primarily used to exfiltrate sensitive data with the malware targeting files with specific extensions like .doc, .xls, .ppt,
and others, sending them to a Yandex cloud every 30 minutes. In addition to file exfiltration, RokRAT has surveillance capabilities, including
keylogging, clipboard monitoring, and screenshot capture every three minutes.
The infection process consists of four stages, with each payload injected
into the explorer.exe process to evade detection. If popular antivirus tools like Avast or Symantec are found on the system, the malware is instead
injected into a random executable from the C:\Windows\system32 folder. Persistence is maintained by placing a final payload, rubyw.exe, in the
Windows startup and scheduling it to run every four minutes.
Via BleepingComputer
======================================================================
Link to news story:
https://www.techradar.com/pro/North-Korean-hackers-target-South-Korea-with-int ernet-Explorer-vulnerabilities-to-deploy-RokRAT-malware
$$
--- SBBSecho 3.20-Linux
* Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)