In a recent cyber-espionage campaign targeted at the United States, North Korean state-linked hacker ScarCruft recently exploited a zero-day vulnerability in Internet Explorer to distribute RokRAT malware to targets nationwide. APT37, or RedEyes as it is sometimes called, is one of the most notorious North Korean state-sponsored hacking groups, and its activities are thought to be aimed at cyber espionage.
There is typically a focus on human rights activists from South Korea, defectors from the country, and political entities in Europe from this group.
An unknown threat actor with ties to North Korea has been observed delivering a previously undocumented backdoor and remote access Trojan (RAT) called VeilShell as part of a campaign targeted at Cambodia and potentially other Southeast Asian countries, including Indonesia, Malaysia, and Thailand.
Known to Securonix as SHROUDED#SLEEP, the activity is believed to have been carried out by APT37, which is also known as InkySquid, Reaper, RedEyes, Ricochet Chollima, Ruby Sleet, and ScarCruft as well as several other names.
ScarCruft, also known as APT37, InkySquid, Nickel Foxcroft, Reaper, RedEyes, and Ricochet Chollima, is a state-sponsored cyber-espionage threat group that almost entirely targets South Korean individuals and organizations.
It uses spear phishing to deliver customized tools via phishing, watering holes, and zero-days for Internet Explorer.
It has been reported by AhnLab that APT37 compromised one of the servers of a domestic advertising agency. Hence, the purpose is to push specially crafted 'Toast ads' as a part of an unidentified free software that is widely used by South Koreans.
As a result of the CVE-2024-38178 flaw found in the JavaScript 9.dll file (Chakra) of Internet Explorer used for displaying these advertisements, it caused the JavaScript file named 'ad_toast' to trigger remote code execution via CVE-2024-38178 in the JavaScript9.dll file.
There is a deep correlation between the malware that was dropped in this attack and the RokRAT malware, which ScarCruft has been using for years to launch attacks.
In essence, RokRATs primary function is to exfiltrate to Yandex cloud instances every 30 minutes file matching 20 extension types (including .doc, .mdb, .xls, .ppt, .txt, .amr) that match these extensions.
In addition to keylogging, Keylogger also monitors for changes made to the clipboard and captures screenshots (every three minutes) as well.
In July 2022, ScarCruft, a North Korean threat actor who operates in North Korean cyberspace, began experimenting with oversized LNK files as a delivery route for RokRAT malware, just a couple of months after Microsoft began blocking macros by default across several Office documents.
Check Point has released a new report on its technical analysis of RokRAT that concludes that the malware has not changed significantly over the years, but the deployment method has evolved. RokRAT now uses archives that contain LNK files, resulting in infection chains that move through multiple stages.
As a result of this round of activity, is another indication of a major trend in the threat landscape, where both APTs, as well as cybercriminals, will try to overcome the restriction on macros coming from untrusted sources.
Having made the news in the past few days, a new campaign with the intriguing name "Code on Toast," has raised serious concerns about the vulnerability of software still embedded in widely used systems, even after the retirement of Internet Explorer. According to a joint report by the National Cyber Security Center (NCSC) of South Korea, and AhnLab (ASEC), the incident occurred earlier this year.
There was a unique way for these malware infections to be spread by using toast pop-up ads as how the campaign was delivered.
There is a unique aspect of this campaign that focuses on the way ScarCruft distributes its malware through the use of toast notifications and small pop-ups that appear when antivirus software or free utilities are running.
As a result of ScarCruft’s compromise of the server of a domestic ad agency in South Korea, a malicious "toast ad" made by ScarCruft was sent to many South Korean users through a popular, yet unnamed, free piece of software.
To accomplish ScarCruft’s attack, a zero-day Internet Explorer vulnerability, CVE-2024-38178, with a severity rating of 7.5, must be exploited cleverly. As a consequence of this, Edge users in Internet Explorer mode can potentially execute remote code through a memory corruption bug in the Scripting Engine, which can result in remote code execution.
This vulnerability was patched for August 2024 as part of Microsoft's Patch Tuesday update, part of this annual update program.
By using toast notifications, typically harmless pop-up ads from anti-virus software or utility programs, the group silently delivered malware through a zero-click infection method using a zero-click virus delivery mechanism.
As a result, it has become necessary for an attacker to convince a user to click on a URL that has been specially crafted to initiate the execution of malicious code to successfully exploit a vulnerability.
Having used such advanced techniques, ScarCruft clearly emphasizes the need for South Korea's digital landscape to remain protected from such threats in the future.
It is unfortunate that no matter how much effort is put into phasing out outdated systems, security vulnerabilities have caused problems in legacy components like Internet Explorer. Although Microsoft announced it would retire Internet Explorer at the end of 2022, many of the browser's components remain in Windows, or they are being used by third-party products, allowing threat actors to come across new vulnerabilities and exploit them for their purposes. As a result of this campaign, organizations will be reminded of the importance of prioritizing cybersecurity updates and maintaining robust defences against increasingly sophisticated cyber threats backed by governments.
