North Korean Hackers Exploit Zero-Day Flaw (CVE-2024-38178) in “Operation Code on Toast”
A joint report by AhnLab Security Emergency response Center (ASEC) and the National Cyber Security Center (NCSC) has revealed a new zero-day vulnerability (CVE-2024-38178) in Microsoft Internet Explorer (IE) that is being actively exploited by North Korean hackers. The campaign, dubbed “Operation Code on Toast,” targets users of outdated toast ad programs to deliver malware.
The threat actor behind the attacks, TA-RedAnt (also known as RedEyes, ScarCruft, and APT37), has a history of targeting North Korean defectors and individuals involved in North Korean affairs. This time, they are exploiting a vulnerability in IE’s JavaScript engine (jscript9.dll) to compromise systems running vulnerable toast ad programs.
“This vulnerability occurs when one type of data is mistakenly treated as another during the optimization process of IE’s JavaScript engine (jscript9.dll), allowing type confusion to occur,” the report explains.
The attack chain begins with TA-RedAnt compromising the server of a Korean online advertising agency. They then inject malicious code into the ad content script, which is subsequently downloaded and rendered by the toast ad program on the victim’s machine. This results in a “zero-click” attack, requiring no user interaction.
“As a result, a zero-click attack occurred without any interaction from the user,” the report states.
The vulnerability exploits the fact that many toast ad programs use IE-based WebView to display web content. Despite Microsoft ending support for IE in June 2022, many legacy applications still rely on its engine, making them susceptible to such attacks.
“However, attacks that target some Windows applications that still use IE are continuously being discovered, so organizations and users need to be extra cautious and update their systems with the latest security patches,” the report warns.
AhnLab and NCSC reported the vulnerability to Microsoft, which has since assigned it CVE-2024-38178 (CVSS 7.5) and released a patch on August 13, 2024. Users are strongly advised to apply the patch and ensure their systems are updated to the latest versions to mitigate this threat.
For a more in-depth analysis of the operation, the full and summary reports in Korean can be accessed through AhnLab’s website.
