Page Loader
Summarize
North Korean hackers target South Korea's infrastructure with 'RokRAT' malware
Hackers exploited Internet Explorer vulnerability to propagate RokRAT malware

North Korean hackers target South Korea's infrastructure with 'RokRAT' malware

Dec 09, 2024
02:11 pm

What's the story

North Korea's state-backed hacker group, ScarCruft, has launched a major cyber-espionage campaign against South Korea. The group, also known as APT37 or RedEyes, is leveraging a vulnerability in the now-defunct Internet Explorer to propagate the RokRAT malware. The latest operation, dubbed "Code on Toast," has raised serious concerns over potential weaknesses in software still embedded within widely used systems.

Attack details

ScarCruft's attack strategy and targets

ScarCruft's attack strategy revolves around exploiting an Internet Explorer zero-day vulnerability, dubbed CVE-2024-38178. The group leveraged toast notifications, typically harmless pop-up ads from antivirus or utility programs, to stealthily deliver malware via a zero-click infection method. The hackers breached a South Korean advertising agency's server and spread malicious toast ads through popular free software in the country.

Sophisticated tactics

Malware delivery and evasion techniques

The ads had a hidden iframe that triggered a JavaScript file, exploiting the Internet Explorer vulnerability in the JScript9.dll file of its Chakra engine. The malicious code injected into systems was extremely sophisticated, bypassing earlier Microsoft security patches with additional layers of exploit. This campaign was similar to ScarCruft's previous use of a similar vulnerability in 2022 but with new tricks to avoid detection.

Malware capabilities

RokRAT malware: A potent tool for surveillance and data theft

Once the vulnerability was exploited, ScarCruft deployed RokRAT malware on infected systems. This malware is a powerful tool for surveillance and data theft, capable of exfiltrating files with extensions like .doc, .xls, and .ppt to a Yandex cloud server every 30 minutes. Apart from file theft, RokRAT can record keystrokes, monitor clipboard activity and take screenshots every three minutes.

Infection stages

Infection process and malware's evasion tactics

The infection process occurs in four stages, with payloads concealed inside the 'explorer.exe' process to avoid antivirus detection. If security tools such as Avast or Symantec are detected, the malware adapts by injecting into random executables from the Windows system folder. Persistence is ensured by placing the final payload in the startup folder, running at regular intervals to maintain control.