 "The hackers compromised the server of a South Korean advertising agency, distributing malicious toast ads via a popular but unnamed free software used extensively in the country. These ads carried a hidden iframe triggering a JavaScript file. Image Credit: Reuters")
North Korea’s state-linked hacker group, ScarCruft, has launched a major cyber-espionage campaign against South Korea, exploiting a flaw in Internet Explorer to deploy the RokRAT malware. Known for their sophisticated attacks, ScarCruft, also called APT37 or RedEyes, has targeted South Korean digital infrastructure, with a focus on human rights activists, defectors, and political entities in Europe.
This latest campaign, intriguingly named “Code on Toast,” has raised serious concerns about vulnerabilities in software still embedded within widely used systems, even after Internet Explorer’s retirement.
Internet Explorer exploited via innovative “Toast Ads”
ScarCruft’s attack hinges on a clever exploitation of an Internet Explorer zero-day vulnerability, tracked as CVE-2024-38178, with a severity score of 7.5. The group leveraged toast notifications—typically harmless pop-up ads from antivirus software or utility programs—to silently deliver malware through a zero-click infection method.
The hackers compromised the server of a South Korean advertising agency, distributing malicious toast ads via a popular but unnamed free software used extensively in the country. These ads carried a hidden iframe triggering a JavaScript file, which exploited the Internet Explorer vulnerability in the JScript9.dll file of its Chakra engine. Despite Internet Explorer being officially retired in 2022, its lingering components in Windows systems made it a prime target for this attack.
The malicious code injected into systems was alarmingly sophisticated, bypassing earlier Microsoft security patches with additional layers of exploit. This campaign mirrored ScarCruft’s previous use of a similar vulnerability in 2022 but added new tricks to evade detection.
RokRAT malware and its potent threats
Once the vulnerability was exploited, ScarCruft deployed RokRAT malware to infected systems. This malware is a powerful tool for surveillance and data theft. It exfiltrates files with extensions like .doc, .xls, and .ppt to a Yandex cloud server every 30 minutes. Beyond file theft, RokRAT can record keystrokes, monitor clipboard activity, and take screenshots every three minutes, providing a complete surveillance package.
The infection process unfolds in four stages, with payloads hidden within the ‘explorer.exe’ process to escape antivirus detection. If security tools like Avast or Symantec are detected, the malware adapts by injecting into random executables from the Windows system folder. Persistence is ensured by placing the final payload in the startup folder, running at regular intervals to maintain control.
South Korea in a state of alarm
The use of such advanced techniques by ScarCruft highlights a growing threat to South Korea’s digital landscape.
Despite efforts to phase out outdated systems, vulnerabilities in legacy components like Internet Explorer remain a weak point. This campaign serves as a stark reminder for organisations to prioritise updates and maintain robust cybersecurity defences against increasingly sophisticated state-backed cyber threats.