North Korean hackers target South Korea's infrastructure with 'RokRAT' malware
What's the story
North Korea's state-backed hacker group, ScarCruft, has launched a major cyber-espionage campaign against South Korea. The group, also known as APT37 or RedEyes, is leveraging a vulnerability in the now-defunct Internet Explorer to propagate the RokRAT malware. The latest operation, dubbed "Code on Toast," has raised serious concerns over potential weaknesses in software still embedded within widely used systems.
Attack details
ScarCruft's attack strategy and targets
ScarCruft's attack strategy revolves around exploiting an Internet Explorer zero-day vulnerability, dubbed CVE-2024-38178. The group leveraged toast notifications, typically harmless pop-up ads from antivirus or utility programs, to stealthily deliver malware via a zero-click infection method. The hackers breached a South Korean advertising agency's server and spread malicious toast ads through popular free software in the country.
Sophisticated tactics
Malware delivery and evasion techniques
The ads had a hidden iframe that triggered a JavaScript file, exploiting the Internet Explorer vulnerability in the JScript9.dll file of its Chakra engine. The malicious code injected into systems was extremely sophisticated, bypassing earlier Microsoft security patches with additional layers of exploit. This campaign was similar to ScarCruft's previous use of a similar vulnerability in 2022 but with new tricks to avoid detection.
Malware capabilities
RokRAT malware: A potent tool for surveillance and data theft
Once the vulnerability was exploited, ScarCruft deployed RokRAT malware on infected systems. This malware is a powerful tool for surveillance and data theft, capable of exfiltrating files with extensions like .doc, .xls, and .ppt to a Yandex cloud server every 30 minutes. Apart from file theft, RokRAT can record keystrokes, monitor clipboard activity and take screenshots every three minutes.
Infection stages
Infection process and malware's evasion tactics
The infection process occurs in four stages, with payloads concealed inside the 'explorer.exe' process to avoid antivirus detection. If security tools such as Avast or Symantec are detected, the malware adapts by injecting into random executables from the Windows system folder. Persistence is ensured by placing the final payload in the startup folder, running at regular intervals to maintain control.