DPRK Exploits Microsoft Zero-Day Vulnerability in No-Click Toast Attacks

Published:

The Rising Threat of APT37: A Deep Dive into the North Korea-Backed Cyberattack

In the ever-evolving landscape of cybersecurity, the emergence of advanced persistent threats (APTs) poses significant challenges for organizations worldwide. One such group, known as APT37 (also referred to as RedAnt, RedEyes, ScarCruft, and Group123), has recently made headlines for exploiting a zero-day vulnerability in Microsoft’s Internet Explorer (IE) browser. This attack, which targeted South Korean entities, underscores the persistent risks posed by legacy software and the innovative tactics employed by state-sponsored cybercriminals.

The Zero-Day Exploit: A Window of Opportunity

During the summer of 2023, APT37 leveraged a zero-day vulnerability tracked as CVE-2024-38178 (with a CVSS score of 7.5) to execute a sophisticated supply chain attack. Despite Internet Explorer reaching its end of life in 2022, many organizations still rely on legacy applications that utilize IE components. This particular exploit was aimed at a Toast ad program, commonly bundled with various free software applications. Toast notifications, which pop up in the bottom-right corner of a user’s screen, are designed to deliver ads but can also serve as vectors for malicious activity.

According to researchers from AhnLab Security Intelligence Center (ASEC), the vulnerability was exploited when the ad program downloaded and rendered ad content. Instead of legitimate advertisements, the compromised script began delivering malware, effectively turning the ad delivery mechanism into a conduit for cyberattacks.

The Mechanics of the Attack: Code on Toast

APT37’s operation, dubbed "Code on Toast," involved compromising an ad agency and injecting malicious code into the Toast script used for ad content delivery. This zero-click attack required no user interaction, making it particularly insidious. Once the malware was delivered, it deployed RokRAT, a remote access tool that APT37 has utilized in previous campaigns. This malware enables attackers to execute remote commands and maintain persistence within the infected system.

The researchers noted that the attackers employed Ruby to ensure the longevity of their malicious activities, utilizing a commercial cloud server for command and control operations. Fortunately, the campaign was detected early, and security measures were implemented against other potentially vulnerable Toast advertising programs before a patch for the vulnerability was released.

The Legacy of Internet Explorer: A Lingering Threat

Despite Microsoft’s efforts to phase out Internet Explorer, the browser’s integration into various applications continues to pose a significant cybersecurity risk. The exploitation of IE vulnerabilities remains a lucrative target for hackers, particularly those affiliated with state-sponsored groups like APT37. The August 2023 Patch Tuesday update addressed the CVE-2024-38178 vulnerability, but the ongoing use of IE as a component in other software highlights the need for vigilance.

AhnLab researchers emphasized that such attacks are challenging to defend against, as they can bypass traditional security measures, including user awareness and antivirus solutions. The potential impact of these exploits is substantial, particularly when they target widely used software.

The Evolution of North Korean Cyber Tactics

The sophistication of North Korean hacking groups has been on the rise, with APT37 exemplifying this trend. The group has increasingly diversified its attack methods, moving beyond IE vulnerabilities to exploit a broader range of software weaknesses. This evolution necessitates a proactive approach from both users and software developers.

To mitigate risks, users are urged to keep their operating systems and applications up to date. Additionally, software manufacturers must exercise caution in their development processes, avoiding the use of vulnerable libraries and modules that could expose their products to exploitation.

Conclusion: Staying Ahead of the Threat

The recent activities of APT37 serve as a stark reminder of the persistent threats posed by state-sponsored cybercriminals. As technology continues to advance, so too do the tactics employed by these groups. Organizations must remain vigilant, adopting robust cybersecurity measures and fostering a culture of awareness among users.

In an age where cyber threats are increasingly sophisticated, the lessons learned from the APT37 incident underscore the importance of vigilance, timely updates, and proactive security measures. By staying informed and prepared, organizations can better defend against the ever-present specter of cyberattacks.

Related articles

Recent articles