Security researchers have uncovered a sophisticated cyberattack carried out by the North Korea-based advanced persistent threat group known as APT37. This group exploited a zero-day vulnerability in Microsoft’s outdated Internet Explorer web browser to launch a zero-click supply chain campaign targeting South Korean entities during the summer.
Despite the fact that Internet Explorer reached its end of life in 2022 and is no longer in widespread use, many legacy applications still rely on it. In this particular case, APT37, also known as RedAnt, RedEyes, ScarCruft, and Group123, set its sights on a Toast ad program commonly bundled with free software. These Toast ad programs utilize a feature called WebView to display ads, which if based on IE, can be exploited through IE vulnerabilities.
A report from AhnLab Security Intelligence Center (ASEC) highlighted how APT37 infiltrated an ad agency and leveraged a specific bug, identified as CVE-2024-38178, to inject malicious code into the Toast script used by the agency to distribute ad content. This malicious code transformed the script into a delivery mechanism for malware, ultimately infecting targeted systems with a strain of malware known as RokRAT, a tool frequently employed by APT37 in the past.
The attack, dubbed “Code on Toast” by researchers, was characterized by its zero-click nature, requiring no user interaction for the malware to execute. Once a system was compromised, the attackers could perform various malicious activities, including remote commands and maintaining persistence through Ruby and command control via a commercial cloud server.
Fortunately, the attack was detected early, preventing significant damage. AhnLab reported that security measures were implemented to safeguard against potential exploitation by other Toast advertising programs before a patch for the vulnerability was available.
Although Microsoft released a patch for the exploited bug in its August Patch Tuesday update, the incident underscores the ongoing threat posed by the continued presence of IE within applications and software. Hackers are incentivized to uncover and exploit IE zero-day vulnerabilities as long as the browser remains integrated into various products.
AhnLab researchers warned that such attacks are challenging to defend against and can have far-reaching consequences depending on the software being targeted. They also noted an increasing trend in North Korean hacking groups leveraging various vulnerabilities beyond IE, highlighting the need for users to maintain up-to-date software and for developers to avoid using vulnerable development libraries and modules.
As cyber threats evolve and grow in sophistication, vigilance and proactive security measures are essential to safeguard against potential attacks. Users must remain diligent in updating their systems, while software manufacturers must prioritize security in product development to mitigate risks associated with vulnerable components.
In conclusion, the Code on Toast cyberattack serves as a stark reminder of the persistent threats posed by sophisticated threat actors and underscores the critical importance of cybersecurity readiness in today’s digital landscape.