Malicious ads used Internet Explorer zero-day vulnerability to deliver malware

16 Oct 2024

1 MIN read


In May, the North Korean hacking group ScarCruft (also known as APT37 or RedEyes) launched a large-scale cyberattack exploiting a zero-day vulnerability in Internet Explorer. The attack, known as “Code on Toast,” used a flaw tracked as CVE-2024-38178 to deliver the RokRAT malware and steal data. ScarCruft is a state-sponsored cyber-espionage group that typically targets systems in South Korea, Europe, and North Korean human rights activists and defectors.

A report from South Korea’s National Cyber Security Center (NCSC) and AhnLab Security (ASEC) revealed that ScarCruft compromised a South Korean advertising server to display malicious “toast pop-up ads” on a widely used free software. These ads triggered a remote code execution when viewed in Internet Explorer, exploiting the CVE-2024-38178 flaw in its JScript9.dll file. Microsoft was promptly notified of the flaw and released a security update in August 2024 to fix it.

The RokRAT malware, used by ScarCruft for several years, was deployed in this attack to exfiltrate files with specific extensions (e.g., .doc, .xls, .txt) to a Yandex cloud account every 30 minutes. The malware also performed keylogging, clipboard monitoring, and frequent screenshots, all while evading detection by security tools. Persistence was achieved by adding a payload to the Windows startup.

Despite Internet Explorer’s retirement in 2022, its components remain embedded in some software, making it vulnerable to exploitation. Although Microsoft patched the flaw, outdated tools using Internet Explorer components may continue to pose risks. The number of affected users and details on the compromised free software remain unclear, with further updates pending.