October 16, 2024 at 07:45AM
North Korean group ScarCruft exploited a zero-day vulnerability (CVE-2024-38178) in Windows to deploy RokRAT malware via a compromised advertising server. Users are tricked into clicking malicious links. This incident showcases ScarCruft’s evolving techniques, emphasizing the need for software updates to enhance security against such threats.
### Meeting Takeaways – October 16, 2024
**Subject:** Zero-Day Exploitation by North Korean Threat Actor (ScarCruft)
1. **Identification of Threat Actor:**
– ScarCruft, also known as TA-RedAnt, APT37, InkySquid, Reaper, Ricochet Chollima, and Ruby Sleet, is linked to a new zero-day exploit targeting Windows.
2. **Vulnerability Details:**
– **CVE-2024-38178:** Memory corruption bug in the Scripting Engine leading to remote code execution when using Edge in Internet Explorer Mode (CVSS score: 7.5).
– This vulnerability was patched in August 2024 as part of Microsoft’s Patch Tuesday updates.
3. **Exploitation Method:**
– The attack requires user interaction, where the victim must click a specially crafted URL to execute the malicious code.
– Attackers compromised an advertising agency’s server to inject exploit code into “toast” advertisement scripts.
4. **Attack Characteristics:**
– The zero-day attack exploits pop-up notifications (toast ads) rendered by a specific program using an unsupported Internet Explorer module.
– Malicious activities post-infection include remote access, file enumeration, process termination, and data collection from various applications.
5. **Capabilities of RokRAT:**
– The latest version can execute commands from a remote server and aggregate data from applications like KakaoTalk, WeChat, and various web browsers.
– Utilizes legitimate cloud services (Dropbox, Google Cloud, etc.) as command-and-control servers to blend in.
6. **Historical Context & Recommendations:**
– ScarCruft has a history of exploiting vulnerabilities in legacy browsers for malware distribution.
– Users are strongly encouraged to update their operating systems and software to mitigate risks associated with these security flaws.
7. **Collaboration Between Agencies:**
– The vulnerability discovery and reporting were a joint effort by AhnLab Security Intelligence Center (ASEC) and the National Cyber Security Center (NCSC) of South Korea.
**Next Steps:**
– Ensure all relevant software updates are applied and review security protocols to mitigate potential threats linked to this vulnerability.
For further updates, follow on Twitter and LinkedIn.