Home Security North Korean ScarCruft Exploits Windows Zero-Day to Spread RokRAT Malware

North Korean ScarCruft Exploits Windows Zero-Day to Spread RokRAT Malware

by


Oct 16, 2024Ravie LakshmananZero-Day / Windows Security

The North Korean threat actor known as ScarCruft has been linked to the zero-day exploitation of a now-patched security flaw in Windows to infect devices with malware known as RokRAT.

The vulnerability in question is CVE-2024-38178 (CVSS score: 7.5), a memory corruption bug in the Scripting Engine that could result in remote code execution when using the Edge browser in Internet Explorer Mode. It was patched by Microsoft as part of its Patch Tuesday updates for August 2024.

However, successful exploitation requires an attacker to convince a user to click on a specially crafted URL in order to initiate the execution of malicious code.

Cybersecurity

The AhnLab Security Intelligence Center (ASEC) and the National Cyber Security Center (NCSC) of the Republic of Korea, which were credited with discovering and reporting the shortcoming, have assigned the activity cluster the name Operation Code on Toast.

The organizations are tracking ScarCruft under the moniker TA-RedAnt, which was previously referred to as RedEyes. It’s also known in the wider cybersecurity community under the names APT37, InkySquid, Reaper, Ricochet Chollima, and Ruby Sleet.

The zero-day attack is “characterized by the exploitation of a specific ‘toast’ advertisement program that is commonly bundled with various free software,” ASEC said in a statement shared with The Hacker News. “‘Toast’ ads, in Korea, refers to pop-up notifications that appear at the bottom of the PC screen, typically in the lower-right corner.”

The attack chain documented by the South Korean cybersecurity firm shows that the threat actors compromised the server of an unnamed domestic advertising agency that supplies content to the toast ads with the goal of injecting exploit code into the script of the advertisement content.

RokRAT Malware

The vulnerability is said to have been triggered when the toast program downloads and renders the booby-trapped content from the server.

“The attacker targeted a specific toast program that utilizes an unsupported [Internet Explorer] module to download advertisement content, ASEC and NCSC said in a joint threat analysis report.

“This vulnerability causes the JavaScript Engine of IE (jscript9.dll) to improperly interpret data types, resulting in a type confusion error. The attacker exploited this vulnerability to infect PCs with the vulnerable toast program installed. Once infected, PCs were subjected to various malicious activities, including remote access.”

The latest version of RokRAT is capable of enumerating files, terminating arbitrary processes, receiving and executing commands received from a remote server, and gathering data from various applications such as KakaoTalk, WeChat, and browsers like Chrome, Edge, Opera, Naver Wales, and Firefox.

Cybersecurity

RokRAT is also notable for using legitimate cloud services like Dropbox, Google Cloud, pCloud, and Yandex Cloud as its command-and-control server, thereby allowing it to blend in with regular traffic in enterprise environments.

This is not the first time ScarCruft has weaponized vulnerabilities in the legacy browser to deliver follow-on malware. In recent years, it has been attributed to the exploitation of CVE-2020-1380, another memory corruption flaw in Scripting Engine, and CVE-2022-41128, a remote code execution vulnerability in Windows Scripting Languages.

“The technological level of North Korean hacking organizations has become more advanced, and they are exploiting various vulnerabilities in addition to [Internet Explorer],” the report said. “Accordingly, users should update their operating system and software security.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex