skip to content

North Korean hackers dump RokRAT malware on South Korea’s digital infra, target Internet Explorer

North Korea’s state-linked hacker group, ScarCruft, has launched a major cyber-espionage campaign against South Korea, exploiting a flaw in Internet Explorer to deploy the RokRAT malware. Known for their sophisticated attacks, ScarCruft, also called APT37 or RedEyes, has targeted South Korean digital infrastructure, with a focus on human rights activists, defectors, and political entities in Europe.

This latest campaign, intriguingly named “Code on Toast,” has raised serious concerns about vulnerabilities in software still embedded within widely used systems, even after Internet Explorer’s retirement.

Internet Explorer exploited via innovative “toast ads”

ScarCruft’s attack hinges on a clever exploitation of an Internet Explorer zero-day vulnerability, tracked as CVE-2024-38178, with a severity score of 7.5. The group leveraged toast notifications—typically harmless pop-up ads from antivirus software or utility programs—to silently deliver malware through a zero-click infection method.

The hackers compromised the server of a South Korean advertising agency, distributing malicious toast ads via a popular but unnamed free software used extensively in the country. These ads carried a hidden iframe triggering a JavaScript file, which exploited the Internet Explorer vulnerability in the JScript9.dll file of its Chakra engine. Despite the official retirement of Internet Explorer in 2022, its residual components in Windows systems positioned it as a prime target for this attack.

The malicious code injected into systems was alarmingly sophisticated, bypassing earlier Microsoft security patches with additional layers of exploit. This campaign mirrored ScarCruft’s previous use of a similar vulnerability in 2022 but added new tricks to evade detection.

RokRAT malware and its potent threats

ScarCruft deployed RokRAT malware to infected systems once it exploited the vulnerability. This malware is a powerful tool for surveillance and data theft. It exfiltrates files with extensions like .doc, .xls, and .ppt to a Yandex cloud server every 30 minutes. Beyond file theft, RokRAT can record keystrokes, monitor clipboard activity, and take screenshots every three minutes, providing a complete surveillance package.

The infection process unfolds in four stages, with payloads hidden within the ‘explorer.exe’ process to escape antivirus detection. When security tools such as Avast or Symantec detect the malware, it adapts by injecting itself into random executables from the Windows system folder. The malware ensures persistence by placing the final payload in the startup folder and running it at regular intervals to maintain control.

South Korea is in a state of alarm.

The use of such advanced techniques by ScarCruft highlights a growing threat to South Korea’s digital landscape.

Despite efforts to phase out outdated systems, vulnerabilities in legacy components like Internet Explorer remain a weak point. This campaign serves as a stark reminder for organizations to prioritize updates and maintain robust cybersecurity defenses against increasingly sophisticated state-backed cyber threats.

Share your love
Facebook
Twitter
LinkedIn
WhatsApp

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

error: Unauthorized Content Copy Is Not Allowed