A North Korean threat actor has exploited a recent Internet Explorer zero-day vulnerability in a supply chain attack, threat intelligence firm AhnLab and South Korea’s National Cyber Security Center (NCSC) say.
Tracked as CVE-2024-38178, the security defect is described as a scripting engine memory corruption issue that allows remote attackers to execute arbitrary code on target systems that use Edge in Internet Explorer Mode.
Patches for the zero-day were released on August 13, when Microsoft noted that successful exploitation of the bug would require a user to click on a crafted URL.
According to a new report from AhnLab and NCSC, which discovered and reported the zero-day, the North Korean threat actor tracked as APT37, also known as RedEyes, Reaper, ScarCruft, Group123, and TA-RedAnt, exploited the bug in zero-click attacks after compromising an advertising agency.
“This operation exploited a zero-day vulnerability in IE to utilize a specific Toast ad program that is installed alongside various free software,” AhnLab explains.
Because any program that uses IE-based WebView to render web content for displaying ads would be vulnerable to CVE-2024-38178, APT37 compromised the online advertising agency behind the Toast ad program to use it as the initial access vector.
Microsoft ended support for IE in 2022, but the vulnerable IE browser engine (jscript9.dll) was still present in the ad program and can still be found in numerous other applications, AhnLab warns.
“TA-RedAnt first attacked the Korean online advertising agency server for ad programs to download ad content. They then injected vulnerability code into the server’s ad content script. This vulnerability is exploited when the ad program downloads and renders the ad content. As a result, a zero-click attack occurred without any interaction from the user,” the threat intelligence firm explains.
The North Korean APT exploited the security defect to trick victims into downloading malware on systems that had the Toast ad program installed, potentially taking over the compromised machines.
AhnLab has published a technical report in Korean (PDF) detailing the observed activity, which also includes indicators of compromise (IoCs) to help organizations and users hunt for potential compromise.
Active for more than a decade and known for exploiting IE zero-days in attacks, APT37 has been targeting South Korean individuals, North Korean defectors, activists, journalists, and policy makers.
Related: Cracking the Cloud: The Persistent Threat of Credential-Based Attacks
Related: Increase in Exploited Zero-Days Shows Broader Access to Vulnerabilities
Related: S Korea Seeks Interpol Notice for Two Cyber Gang Leaders
Related: Justice Dept: North Korean Hackers Stole Virtual Currency
