North Korean Hackers Target Internet Explorer Vulnerability in Supply Chain Attack

A recently discovered zero-day vulnerability in Internet Explorer has once again exposed the persistent threat of cyber espionage. The latest victim? An advertising agency compromised by the notorious North Korean APT37 group, also known as RedEyes, Reaper, ScarCruft, Group123, and TA-RedAnt. This sophisticated attack highlights the group’s ability to exploit outdated technology, using a flaw in Internet Explorer to target users through supply chain vulnerabilities.

A Vulnerability Exploited in Plain Sight

Tracked as CVE-2024-38178, the vulnerability is tied to a memory corruption issue within Internet Explorer’s scripting engine. While Microsoft ended support for Internet Explorer in 2022, many applications, including advertising software, continue to rely on its underlying code to function. Specifically, the vulnerability exists within jscript9.dll, a browser engine component that remains embedded in software, leaving it vulnerable to attack.

According to AhnLab and South Korea’s National Cyber Security Center (NCSC), APT37 targeted the vulnerable browser engine to launch a zero-click attack. This means that users did not need to interact with malicious links or files for their systems to be compromised. The flaw allowed remote code execution, enabling the attackers to take control of affected machines simply through exposure to compromised advertisements.

How the Attack Unfolded

The attack began when APT37 compromised the advertising server of a Korean company behind the Toast ad program, which was bundled with various free software. The compromised server then distributed malicious ads through the ad program to systems running the vulnerable Internet Explorer engine. As these ads were downloaded and rendered, the malicious code was executed without any user interaction, resulting in a zero-click attack.

APT37 used this vulnerability as an entry point to deliver malware to the affected systems. This was likely part of a broader effort to target individuals involved in South Korean affairs, including defectors, activists, journalists, and policymakers.

Microsoft’s Patch and Ongoing Risks

Microsoft released a patch for CVE-2024-38178 on August 13, addressing the vulnerability by requiring users to click on a crafted URL. However, this patch came too late for the compromised advertising agency and its users. Even with this fix, the presence of Internet Explorer’s engine in legacy software remains a significant risk.

AhnLab warns that many applications continue to use Internet Explorer’s WebView component to render web content, making them vulnerable to this type of attack. The fact that a browser retired over two years ago is still being exploited underscores the importance of regularly updating software and replacing legacy systems.

Protecting Against Zero-Day Exploits

APT37’s exploitation of CVE-2024-38178 serves as a stark reminder of the need for organizations to stay vigilant against zero-day vulnerabilities, even in outdated software. Here are a few steps that businesses and individuals can take to reduce the risk of similar attacks:

  • Regular Software Updates: Ensure that all software is up to date, and discontinue the use of outdated or unsupported applications.
  • Monitor Indicators of Compromise (IoCs): AhnLab has published a report containing IoCs related to this attack. Organizations should monitor their networks for these indicators to detect any signs of compromise.
  • Isolate Vulnerable Software: If certain applications rely on older, vulnerable software components, isolate them from the rest of your network to prevent the spread of malware in the event of an attack.

Lessons from APT37’s Persistence

APT37, also known as RedEyes, has a long history of targeting high-profile individuals and groups, often using zero-day vulnerabilities to gain access. Their latest campaign demonstrates that even after a decade of activity, they remain a significant cyber threat.

In today’s evolving cyber landscape, attacks like these are a reminder that the weakest link in the supply chain can cause widespread damage. Regular updates, awareness of known vulnerabilities, and robust security practices are essential defenses against advanced persistent threats like APT37.

As long as legacy software remains in use, cybercriminals will continue to exploit these hidden vulnerabilities. Staying ahead requires a proactive approach to cybersecurity—because the next zero-day exploit may be just around the corner.

By Zane
October 18, 2024
Computer Security
English
October 18, 2024
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

5 years ago

What is the OperaGXSetup.exe File and is it Malicious?

11 months ago

Eporner.com And Why Its Excessive Pop-Ups Are Risky

11 days ago

HackTool:Win32/Crack: a Malicious Threat That Can Seriously...

7 months ago

Take Note: Someone Added You As Their Recovery Email Scam

10 months ago

A Potentially Serious Threat: Trojan:Win32/Suschil!rfn

18 days ago

Related Posts

Malware

North Korean Hackers Reveal the Goldbackdoor Malware

North Korea's hacking groups are among the most notorious cybercrime organizations in the world. The majority of their attacks are either financially or politically motivated. One of the latest payloads they use is... Read more

April 27, 2022
Malware

North Korean Hackers Target Cryptocurrency Traders with TraderTraitor Malware

North Korean cybercriminals often engage in financially-motivated attacks, which enable them to siphon funds into their country, and using them to further the development of various controversial programs, such as the... Read more

April 20, 2022
Computer Security

North Korean Hackers Use New VeilShell Malware in Secret Cyber Attacks

Cybersecurity experts have recently uncovered a new malware called VeilShell that is being used by hackers linked to North Korea. These hackers have been quietly attacking countries in Southeast Asia, specifically... Read more

October 3, 2024
English
Loading...

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2025 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.