Malicious Ads Exploited Internet Explorer Zero-Day to Spread RokRAT Malware in ScarCruft Attack

In May 2024, North Korean hacking group ScarCruft (APT37) exploited an Internet Explorer zero-day flaw (CVE-2024-39178) to distribute RokRAT malware through malicious toast pop-up ads. This zero-click malware campaign, dubbed "Code on Toast," compromised an advertising server, targeting systems to exfiltrate sensitive data and perform espionage activities. Despite Internet Explorer’s retirement, its components still pose a significant risk as threat actors continue exploiting these vulnerabilities.

  • Zero-Day Exploitation: ScarCruft leveraged a zero-day vulnerability in Internet Explorer (CVE-2024-39178) to launch a cyber-espionage campaign via malicious toast pop-up ads, infecting systems with RokRAT malware.
  • ScarCruft's Tactics: The attack targeted Internet Explorer’s JScript9.dll file (Chakra engine) through compromised toast ads displayed on free software commonly used in South Korea.
  • RokRAT Malware: This sophisticated malware variant collects data, including keylogging, clipboard monitoring, and periodic screenshot captures, exfiltrating sensitive files to a Yandex cloud server every 30 minutes.
  • Persistence and Evasion: RokRAT evades detection by injecting payloads into the 'explorer.exe' process or other system files, achieving persistence by adding a final payload to the Windows startup and system scheduler.
  • Internet Explorer Vulnerability: Despite the browser's retirement, outdated components in Windows and third-party software continue to be exploited by attackers. Microsoft addressed the flaw in August 2024, but vulnerable systems remain exposed.

This campaign demonstrates the ongoing risk posed by outdated Internet Explorer components, despite Microsoft's efforts to retire the browser. Users relying on software using older Internet Explorer functionalities remain vulnerable to zero-click attacks. To mitigate this risk, it is crucial for users and organizations to apply security updates promptly and discontinue the use of outdated or unsupported browser components. The ScarCruft group’s exploitation of zero-day vulnerabilities underscores the importance of staying vigilant in cybersecurity, especially with state-sponsored threat actors continuously refining their tactics for widespread exploitation.