October 16, 2024 at 10:08AM
North Korean hacking group ScarCruft executed a large-scale attack in May using an Internet Explorer zero-day vulnerability (CVE-2024-38178) to disseminate the RokRAT malware via deceptive toast ads. A joint report from South Korea’s NCSC and AhnLab highlights the threat, with Microsoft releasing a security update in August 2024.
**Meeting Notes Takeaways:**
1. **ScarCruft Attack Overview:**
– The North Korean hacking group ScarCruft conducted a large-scale cyber-attack in May, utilizing an Internet Explorer zero-day vulnerability (CVE-2024-38178) to spread RokRAT malware and steal data.
2. **Group Identification:**
– ScarCruft, also known as APT37 or RedEyes, is recognized as a state-sponsored cyber-espionage actor with a focus on targeting South Korean systems, European entities, and North Korean defectors through methods such as phishing and the exploitation of zero-day vulnerabilities.
3. **New Campaign “Code on Toast”:**
– A joint report by South Korea’s NCSC and AhnLab highlighted a recent campaign using “toast pop-up ads” that allowed for zero-click malware infections. This campaign’s method involved the exploitation of the identified zero-day flaw.
4. **Flaw Details:**
– CVE-2024-38178 is classified as a high-severity type confusion flaw found in Internet Explorer. Security measures taken by Microsoft involved releasing an update in August 2024 to address this vulnerability.
5. **Exploitation Similarities:**
– The current exploit shares similarities with a past vulnerability (CVE-2022-41128), with minor modifications to bypass previous security measures by Microsoft.
6. **Malware Deployment:**
– The malware, linked to RokRAT, used a compromised advertising server to distribute malicious toast ads on a widely-used free software in South Korea, which impacted users without their awareness.
7. **Malware Functionality:**
– RokRAT collects files with specific extensions and exfiltrates them to a Yandex cloud instance. It also includes functionalities such as keylogging, clipboard monitoring, and periodic screenshot capturing.
8. **Attack Methodology:**
– The infection process involves multiple payload injections into the ‘explorer.exe’ process to avoid detection. If certain antivirus programs are present, the malware changes its injection method.
9. **Persistence and Risk:**
– The malware ensures persistence by modifying startup processes. Despite the retirement of Internet Explorer, its components remain active in Windows and third-party software, which keeps users vulnerable to exploitation.
10. **Future Updates:**
– Further information about the number of affected users and the specific free software involved is expected to be disclosed as investigations continue.
This summary encapsulates the main points from the meeting notes regarding the ScarCruft cyber-attack, its methods, the security implications, and the subsequent actions taken by Microsoft and security firms.