North Korean hackers target South Korea exploiting Internet Explorer vulnerabilities to install RokRAT malware.

Recently, there has been an alert regarding a large-scale cyber espionage campaign carried out by the North Korean hacker group known as ScarCruft, also identified as APT37 or RedEyes. This group is linked to the North Korean state and has specialized in cyber espionage activities, particularly targeting human rights activists, defectors, and political organizations in Europe.

The campaign, dubbed "Code on Toast," employed a zero-day vulnerability in Internet Explorer to deploy the RokRAT malware. This vulnerability refers to a critical flaw in the JScript9.dll file of Internet Explorer that allows for remote code execution if exploited. The severity of the flaw, known as CVE-2024-38178, is rated with a score of 7.5. Although Internet Explorer was officially retired in 2022, many of its components remain present in Windows and other third-party programs, making them vulnerable targets.

ScarCruft has been recognized for its sophisticated methods, including phishing attacks and the exploitation of security flaws in software. In this latest campaign, the group used pop-up ads, known as "Toast ads," which were activated through a malicious iframe embedded within an advertisement. These notifications, common in antivirus programs or free utilities, allowed the malware to install without user interaction, a method of attack considered zero-click.

To carry out the infection, ScarCruft compromised the server of an advertising agency in South Korea, from which they distributed these malicious ads. Once the vulnerability was exploited, the RokRAT malware was delivered to the affected systems. This malware primarily functions to exfiltrate sensitive data, targeting files with specific extensions such as .doc, .xls, and .ppt, which are sent to a cloud storage space on Yandex every 30 minutes.

RokRAT also includes surveillance capabilities, such as keylogging, clipboard monitoring, and screenshot capture every three minutes. The infection process occurs in four stages, and each payload is injected into the ‘explorer.exe’ process to evade detection. On systems with popular antivirus software like Avast or Symantec, the malware opts to inject itself into a random executable in the C:\Windows\system32 folder. Persistence is achieved by placing a final payload, ‘rubyw.exe,’ in the Windows startup, scheduling it to run every four minutes.