Attacks exploiting a recently patched high-severity Windows Scripting Engine zero-day vulnerability, tracked as CVE-2024-38178, have been launched by North Korean state-sponsored threat operation APT37, also known as Scarcruft, InkySquid, Ricochet Chollima, Reaper, and Ruby Sleet, to facilitate RokRAT malware delivery, The Hacker News reports.
Threat actors leveraged the flaw to target a toast advertisement program with an unsupported Internet Explorer module, which when installed would trigger a type confusion error and several malicious actions, including the deployment of the RokRAT trojan, a joint analysis from AhnLab Security Intelligence Center and South Korea's National Cyber Security Center showed. Aside from having file enumeration and arbitrary process termination capabilities, RokRAT's latest iteration has also enabled remote command execution and data exfiltration from various browsers and apps. "The technological level of North Korean hacking organizations has become more advanced, and they are exploiting various vulnerabilities in addition to [Internet Explorer]. Accordingly, users should update their operating system and software security," said the report.