North Korean Hackers Exploit Internet Explorer Vulnerability to Deploy RokRAT Malware

The North Korea-backed hacking group APT37 exploited a zero-day vulnerability in Internet Explorer to deploy RokRAT malware.

Published: Oct 22, 2024

Security – 4

SHARE ARTICLE

Key Takeaways:

  • The North Korea-backed group APT37 exploited a zero-day vulnerability in Internet Explorer.
  • The hackers leveraged a compromised domestic advertisement agency to inject malicious code into Toast pop-up ads.
  • Security experts emphasize the importance of keeping systems updated with the latest security patches.

Cybersecurity researchers have issued a security advisory about a new supply chain campaign that allowed the North Korea-backed hacking group APT37 to compromise Windows devices this summer. This threat actor exploited a zero-day vulnerability in Internet Explorer to deploy the RokRAT malware, allowing them to exfiltrate sensitive data.

Microsoft officially dropped support for Internet Explorer 11 back in June 2022. Most organizations have already transitioned to modern web browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox. However, some legacy applications still rely on Internet Explorer and might not work in new web browsers.

How APT37 leveraged Toast pop-up ads to deliver RokRAT malware

According to the AhnLab Security Intelligence Center (ASEC), the hackers exploited a Toast pop-up ad commonly bundled with free software tools. Toasts are pop-up notifications that appear on the screen for a short duration.

Specifically, the state-sponsored hacking group targeted a domestic advertisement agency and exploited the CVE-2024-38178 vulnerability to display specially crafted Toast ads on users’ computers. Instead of legitimate advertisements, the Toast script started the deployment of the RokRAT malware that allowed hackers to steal data from their victims.

“They then injected vulnerability code into the server’s ad content script. This vulnerability is exploited when the ad program downloads and renders the ad content. As a result, a zero-click attack occurred without any interaction from the user,” the AhnLab researchers explained.

Call for Best Security Practices

AhnLab and the National Cyber Security Centre (NCSC) were the first to discover and report the Internet Explorer vulnerability to Microsoft. In response, Microsoft released the August 2023 Patch Tuesday updates to fix the zero-day flaw in affected systems. However, the continued reliance on Internet Explorer components in other software still poses significant security risks.

It’s highly recommended that organizations ensure that their systems are always up-to-date with the latest security fixes to protect against cyberattacks and other threats. Furthermore, software vendors should avoid using libraries and modules that have known security risks when developing their products.

SHARE ARTICLE