Legacy components of Internet Explorer continue to pose significant risks, as cybercriminals exploit vulnerabilities in outdated software. Recently, the North Korean hacking group ScarCruft leveraged a zero-day flaw in Internet Explorer to disseminate a potent malware strain, targeting users in South Korea and Europe through infected pop-up ads.
The attack is linked to a security weakness cataloged as CVE-2024-38178. Despite Microsoft’s retirement of the browser, many third-party applications still utilize its components, creating ongoing security challenges. ScarCruft, also known as APT37, is notorious for espionage efforts against political targets, including defectors and human rights organizations.
In this operation, hackers employed 'Toast' notifications—small pop-up windows typically seen in desktop applications—to deliver malicious code. By exploiting a compromised South Korean advertising agency, they showcased ads that contained hidden iframes to exploit the Internet Explorer flaw, executing harmful JavaScript without user interaction, making it a 'zero-click' attack.
The malware, dubbed RokRAT, is designed to steal sensitive information from infected systems, focusing on document types such as .doc, .xls, and .txt. It exfiltrates this data to cloud servers controlled by the attackers and also includes functions for logging keystrokes and capturing screenshots.
Once deployed, RokRAT employs multiple evasion techniques, including injecting itself into system processes to avoid detection. It can detect antivirus software and alter its infection strategy accordingly, ensuring persistence through system restarts.
Despite a patch released by Microsoft in August 2024 to address CVE-2024-38178, many users and software vendors remain unpatched, leaving them vulnerable. The dependency on legacy components, particularly JScript9.dll, underscores the need for enhanced patch management across the tech industry. This incident highlights how outdated software remains a significant vector for large-scale malware campaigns.