Man
Professional
- Messages
- 3,070
- Reaction score
- 606
- Points
- 113
How North Korean hackers disguise malicious code as regular notifications.
The ScarCruft group from North Korea has once again exploited a vulnerability in Windows to spread the RokRAT malware. The exploitation affects CVE-2024-38178 with a CVSS rating of 7.5, which is associated with memory corruption in the Scripting Engine, which allows remote code to be executed through Edge in Internet Explorer mode.
Microsoft released a fix for this issue as part of Patch Tuesday updates in August 2024, but hackers are not slowing down and are actively attacking unupdated systems.
To activate the attack, attackers need to convince the victim to follow a specially prepared link. Researchers from ASEC and South Korea's National Cyber Security Center (NCSC) have dubbed the campaign "Operation Code on Toast." In the international environment, the ScarCruft group is also known as TA-RedAnt, APT37, InkySquid, Reaper, Ricochet Chollima and Ruby Sleet.
A feature of this attack was the use of the "toast" adware - notifications that appear at the bottom of the screen. The attackers hacked the server of an unnamed advertising agency that provides content for such notifications and injected malicious code into the ad script.
The vulnerability was activated when malicious content was loaded via "toast" using an outdated Internet Explorer module. This caused a type interpretation error in the JavaScript Engine (jscript9.dll), which allowed attackers to infiltrate systems with the vulnerable program installed and gain remote access.
The updated version of RokRAT is capable of managing files, terminating processes, executing commands from a remote server, and collecting data from popular applications such as KakaoTalk and WeChat, as well as from browsers such as Chrome, Edge, Opera, Firefox, and others. To manage the attacks, RokRAT uses legitimate cloud services, including Dropbox, Google Cloud, and Yandex Cloud, to mask its activity.
This is not the first time that the ScarCruft group has exploited vulnerabilities in Internet Explorer. In the past, it has been credited with attacks using CVE-2020-1380 and CVE-2022-41128. Experts emphasize that hackers from North Korea continue to improve their methods and exploit various vulnerabilities. It is recommended that you regularly update your operating systems and programs to protect against such attacks.
Source
The ScarCruft group from North Korea has once again exploited a vulnerability in Windows to spread the RokRAT malware. The exploitation affects CVE-2024-38178 with a CVSS rating of 7.5, which is associated with memory corruption in the Scripting Engine, which allows remote code to be executed through Edge in Internet Explorer mode.
Microsoft released a fix for this issue as part of Patch Tuesday updates in August 2024, but hackers are not slowing down and are actively attacking unupdated systems.
To activate the attack, attackers need to convince the victim to follow a specially prepared link. Researchers from ASEC and South Korea's National Cyber Security Center (NCSC) have dubbed the campaign "Operation Code on Toast." In the international environment, the ScarCruft group is also known as TA-RedAnt, APT37, InkySquid, Reaper, Ricochet Chollima and Ruby Sleet.
A feature of this attack was the use of the "toast" adware - notifications that appear at the bottom of the screen. The attackers hacked the server of an unnamed advertising agency that provides content for such notifications and injected malicious code into the ad script.
The vulnerability was activated when malicious content was loaded via "toast" using an outdated Internet Explorer module. This caused a type interpretation error in the JavaScript Engine (jscript9.dll), which allowed attackers to infiltrate systems with the vulnerable program installed and gain remote access.
The updated version of RokRAT is capable of managing files, terminating processes, executing commands from a remote server, and collecting data from popular applications such as KakaoTalk and WeChat, as well as from browsers such as Chrome, Edge, Opera, Firefox, and others. To manage the attacks, RokRAT uses legitimate cloud services, including Dropbox, Google Cloud, and Yandex Cloud, to mask its activity.
This is not the first time that the ScarCruft group has exploited vulnerabilities in Internet Explorer. In the past, it has been credited with attacks using CVE-2020-1380 and CVE-2022-41128. Experts emphasize that hackers from North Korea continue to improve their methods and exploit various vulnerabilities. It is recommended that you regularly update your operating systems and programs to protect against such attacks.
Source
