Ethical Hacking News
ScarCruft, a state-sponsored cyber-espionage group, exploited an Internet Explorer zero-day flaw in a recent campaign dubbed "Code on Toast." The attackers used toast pop-up ads to deliver RokRAT malware to unsuspecting users. This attack highlights the ongoing threat of exploiting outdated software and emphasizes the need for users to keep their systems up-to-date and vigilant about online threats.
Malicious ads exploited Internet Explorer zero-day flaw to drop RokRAT malware. ScarCruft, a state-sponsored cyber-espionage threat actor, was behind the attack. The attack used a malicious iframe in "toast ads" to trigger remote code execution on Internet Explorer. RokRAT malware exfiltrates sensitive data and performs keylogging, clipboard monitoring, and screenshot capture. Users are advised to keep their software up-to-date and vigilant about online threats. The incident highlights the ongoing relevance of Internet Explorer components in Windows systems despite Microsoft's retirement announcement.
Malicious ads exploited Internet Explorer zero-day flaw to drop malware.
By Bill Toulas
October 16, 2024
09:59 AM
0
The latest threat landscape update highlights a worrying trend where malicious actors are increasingly leveraging Internet Explorer zero-day flaws to infect unsuspecting users with RokRAT malware. The malicious ads, disguised as toast pop-up notifications, exploited the CVE-2024-39178 vulnerability in Internet Explorer's JScript9.dll file, leading to a remote code execution that allowed ScarCruft to deploy its signature RokRAT malware.
ScarCruft, also known as APT37 or RedEyes, is a state-sponsored cyber-espionage threat actor notorious for targeting systems in South Korea and Europe. Its recent campaign, dubbed "Code on Toast," leveraged the aforementioned Internet Explorer zero-day flaw to infect targets with RokRAT malware and exfiltrate sensitive data. This attack demonstrates ScarCruft's cunning tactics in using seemingly innocuous advertisements to compromise user systems.
The attackers compromised one of the servers of a domestic advertising agency, pushing specially crafted "toast ads" on an unnamed free software used by a large number of South Koreans. These advertisements included a malicious iframe that triggered remote code execution when rendered by Internet Explorer, causing a JavaScript file named 'ad_toast' to execute via the CVE-2024-39178 flaw in Internet Explorer's JScript9.dll file (Chakra engine). The malware dropped in this attack is a variant of RokRAT, which ScarCruft has been using in attacks for several years now.
RokRAT's primary role is to exfiltrate files matching 20 extensions (including .doc, .mdb, .xls, .ppt, .txt, .amr) to a Yandex cloud instance every 30 minutes. The malware also performs keylogging, monitors for clipboard changes, and captures screenshots (every 3 minutes). The attack chain employed by APT37 involves four steps: injecting payloads into the 'explorer.exe' process, evading detection by security tools; injecting malware into a random executable from the C:\Windows\system32 folder if Avast or Symantec antivirus is detected on the host; adding a final payload ('rubyw.exe') to the Windows startup and registering it for execution in the system's scheduler every four minutes. Persistence is achieved through these carefully crafted steps.
The exploitation of Internet Explorer zero-day flaws remains a persistent threat, as even after Microsoft releases security updates to address such vulnerabilities, older versions or components of the browser may still pose a risk. The researchers found that ScarCruft's exploit was very similar to one used in the past for CVE-2022-41128, with only three additional lines of code designed to bypass Microsoft's previous fixes.
The incident highlights the need for users to keep their software up-to-date and vigilant about online threats. This may be happening without users even realizing they're on outdated software that can be easily exploited for zero-click attacks, laying the ground for mass-scale exploitation by knowledgeable threat actors.
Furthermore, this scenario underscores the ongoing relevance of Internet Explorer components in Windows systems, despite Microsoft announcing its retirement in mid-2022. The continued presence of these components allows threat actors to discover new vulnerabilities and exploit them for malicious purposes. This situation may not be immediately apparent to users, but it poses a significant risk that must be addressed.
BleepingComputer asked ASEC about the number of impacted users and the name of the exploited free software, and we will update this information once available.
In conclusion, ScarCruft's exploitation of Internet Explorer zero-day flaw through toast pop-up ads serves as a stark reminder of the ever-evolving threat landscape. As users, it is essential to remain informed about the latest security threats and maintain their systems with up-to-date software and robust security measures.
Related Information:
https://www.bleepingcomputer.com/news/security/malicious-ads-exploited-internet-explorer-zero-day-to-drop-malware/
https://nvd.nist.gov/vuln/detail/CVE-2024-39178
https://www.cvedetails.com/cve/CVE-2024-39178/
https://www.darkreading.com/threat-intelligence/north-koreasc-arcruft-attackers-target-cybersecurity-pros
https://thehackernews.com/2024/10/north-korean-scarcruft-exploits-windows.html
Published: Wed Oct 16 09:59:32 2024 by llama3.2 3B Q4_K_M
