North Korean ScarCruft Exploits Windows Zero-Day to Spread RokRAT Malware
Summary:
North Korean threat actor ScarCruft, also known as TA-RedAnt, APT37, and several other aliases, has been linked to the exploitation of a now-patched zero-day vulnerability in Windows, identified as CVE-2024-38178 (CVSS score: 7.5). This flaw, a memory corruption issue in the Windows Scripting Engine, allowed remote code execution when using Microsoft Edge in Internet Explorer Mode. Microsoft patched the vulnerability as part of its August 2024 Patch Tuesday updates. However, exploitation required tricking users into clicking a specially crafted URL, triggering malicious code execution.
The attack, dubbed "Operation Code on Toast," was discovered by the AhnLab Security Intelligence Center and the National Cyber Security Center (NCSC) of South Korea, which are credited with reporting the flaw. ScarCruft, operating under the alias TA-RedAnt in this campaign, leveraged a pop-up ad program called "toast," commonly used in South Korea. These "toast" notifications appear as small pop-ups in the bottom-right corner of the screen, often bundled with various free software. The attack chain involved the compromise of a domestic advertising agency’s server, which distributed the malicious code through its toast ads. The compromised ads exploited the CVE-2024-38178 flaw, downloading and rendering booby-trapped content from the server to infect devices. Specifically, the attacker targeted a toast program that used an outdated Internet Explorer module to retrieve advertisement content. The vulnerability in the Scripting Engine caused the JavaScript engine to misinterpret data types, leading to a type confusion error that allowed ScarCruft to execute malicious code remotely.
Once the system was compromised, the malware deployed was a new variant of RokRAT. RokRAT is a powerful remote access tool capable of performing a wide range of malicious activities, including file enumeration, process termination, command execution from a remote server, and data exfiltration from apps like KakaoTalk, WeChat, and various web browsers (Chrome, Edge, Firefox, Opera, and Naver Whale). Notably, RokRAT uses legitimate cloud services like Dropbox, Google Cloud, pCloud, and Yandex Cloud for command-and-control (C2) communications, blending its traffic with normal enterprise activity, making it harder to detect.
Security Officer Comments:
ScarCruft has a history of exploiting vulnerabilities in older Windows components, having previously weaponized similar flaws such as CVE-2020-1380, a memory corruption bug in the Internet Explorer Scripting Engine, and CVE-2022-41128, another remote code execution vulnerability in Windows Scripting Languages. These campaigns have shown a consistent pattern of abusing outdated browser modules to deliver sophisticated malware. ASEC and NCSC noted that North Korean hacking groups, including ScarCruft, are continuously advancing their technological capabilities and diversifying the vulnerabilities they target.
Suggested Corrections:
Apply Security Patches: Ensure all systems are updated with the latest security patches, including Microsoft’s August 2024 Patch Tuesday updates that fix the CVE-2024-38178 vulnerability. Regularly patching systems helps protect against zero-day exploits.
Disable Internet Explorer Mode: Disable or restrict the use of Internet Explorer Mode in Edge if it is not required. Many of ScarCruft's campaigns exploit legacy browser components, so minimizing the use of these outdated features reduces exposure.
Enhance Browser Security: Consider implementing stricter security settings for browsers, including disabling JavaScript where possible, or using browser extensions to block suspicious scripts. Use modern browsers and avoid reliance on legacy technologies like Internet Explorer.
Use URL Filtering and Web Proxy: Deploy URL filtering or web proxies to block access to malicious websites. This can prevent users from being tricked into clicking on malicious URLs, a common method in phishing and exploit campaigns.
Train Users on Phishing and Malicious Links: Educate users to be cautious about clicking on unsolicited links, especially in advertisements or emails, as exploitation often requires user interaction. Conduct regular phishing awareness training to help users identify potential threats.
Link(s):
https://thehackernews.com/2024/10/north-korean-scarcruft-exploits-windows.html
https://asec.ahnlab.com/en/83877/
North Korean threat actor ScarCruft, also known as TA-RedAnt, APT37, and several other aliases, has been linked to the exploitation of a now-patched zero-day vulnerability in Windows, identified as CVE-2024-38178 (CVSS score: 7.5). This flaw, a memory corruption issue in the Windows Scripting Engine, allowed remote code execution when using Microsoft Edge in Internet Explorer Mode. Microsoft patched the vulnerability as part of its August 2024 Patch Tuesday updates. However, exploitation required tricking users into clicking a specially crafted URL, triggering malicious code execution.
The attack, dubbed "Operation Code on Toast," was discovered by the AhnLab Security Intelligence Center and the National Cyber Security Center (NCSC) of South Korea, which are credited with reporting the flaw. ScarCruft, operating under the alias TA-RedAnt in this campaign, leveraged a pop-up ad program called "toast," commonly used in South Korea. These "toast" notifications appear as small pop-ups in the bottom-right corner of the screen, often bundled with various free software. The attack chain involved the compromise of a domestic advertising agency’s server, which distributed the malicious code through its toast ads. The compromised ads exploited the CVE-2024-38178 flaw, downloading and rendering booby-trapped content from the server to infect devices. Specifically, the attacker targeted a toast program that used an outdated Internet Explorer module to retrieve advertisement content. The vulnerability in the Scripting Engine caused the JavaScript engine to misinterpret data types, leading to a type confusion error that allowed ScarCruft to execute malicious code remotely.
Once the system was compromised, the malware deployed was a new variant of RokRAT. RokRAT is a powerful remote access tool capable of performing a wide range of malicious activities, including file enumeration, process termination, command execution from a remote server, and data exfiltration from apps like KakaoTalk, WeChat, and various web browsers (Chrome, Edge, Firefox, Opera, and Naver Whale). Notably, RokRAT uses legitimate cloud services like Dropbox, Google Cloud, pCloud, and Yandex Cloud for command-and-control (C2) communications, blending its traffic with normal enterprise activity, making it harder to detect.
Security Officer Comments:
ScarCruft has a history of exploiting vulnerabilities in older Windows components, having previously weaponized similar flaws such as CVE-2020-1380, a memory corruption bug in the Internet Explorer Scripting Engine, and CVE-2022-41128, another remote code execution vulnerability in Windows Scripting Languages. These campaigns have shown a consistent pattern of abusing outdated browser modules to deliver sophisticated malware. ASEC and NCSC noted that North Korean hacking groups, including ScarCruft, are continuously advancing their technological capabilities and diversifying the vulnerabilities they target.
Suggested Corrections:
Apply Security Patches: Ensure all systems are updated with the latest security patches, including Microsoft’s August 2024 Patch Tuesday updates that fix the CVE-2024-38178 vulnerability. Regularly patching systems helps protect against zero-day exploits.
Disable Internet Explorer Mode: Disable or restrict the use of Internet Explorer Mode in Edge if it is not required. Many of ScarCruft's campaigns exploit legacy browser components, so minimizing the use of these outdated features reduces exposure.
Enhance Browser Security: Consider implementing stricter security settings for browsers, including disabling JavaScript where possible, or using browser extensions to block suspicious scripts. Use modern browsers and avoid reliance on legacy technologies like Internet Explorer.
Use URL Filtering and Web Proxy: Deploy URL filtering or web proxies to block access to malicious websites. This can prevent users from being tricked into clicking on malicious URLs, a common method in phishing and exploit campaigns.
Train Users on Phishing and Malicious Links: Educate users to be cautious about clicking on unsolicited links, especially in advertisements or emails, as exploitation often requires user interaction. Conduct regular phishing awareness training to help users identify potential threats.
Link(s):
https://thehackernews.com/2024/10/north-korean-scarcruft-exploits-windows.html
https://asec.ahnlab.com/en/83877/