A North Korea-backed threat actor has been observed exploiting a recently patched zero-day vulnerability in Microsoft Windows to spread malware.

Known as APT37, TA-RedAnt, ScarCruft, RedEyes, InkySquid, Reaper, Ricochet Chollima, Ruby Sleet and Group123, the threat actor was previously observed targeting specific individuals such as North Korean defectors and experts in North Korean affairs using hacking emails, Android app package file (.apk), and IE vulnerabilities. The group's primary objective remains the acquisition of strategic intelligence, with a focus on non-public cyber threat intelligence and defense strategies.

In its most recent campaign codenamed ‘Operation Code on Toast,’ by the AhnLab Security Intelligence Center (ASEC) and the National Cyber Security Center (NCSC) of the Republic of Korea, APT37 exploited a now patched zero-day vulnerability (CVE-2024-38178) that can be abused by a remote attacker for remote code execution via a specially crafted webpage in Microsoft Edge in Internet Explorer mode. Microsoft patched this flaw as part of its August 2024 Patch Tuesday.

According to ASEC, the threat actor took advantage of “a specific 'toast' advertisement program that is commonly bundled with various free software.” In Korea, ‘toast’ refers to a type of popup notification that appears at the bottom of the desktop screen.

“Many toast ad programs use a feature called WebView to render web content for displaying ads. However, WebView operates based on a browser. Therefore, if the program creator used IE-based WebView to write the code, IE vulnerabilities could also be exploited in the program,” the researchers explained. “As a result, TA-RedAnt exploited the toast ad program that were using the vulnerable IE browser engine (jscript9.dll), which is no longer supported, as an initial access vector. Microsoft ended its support for IE in June 2022. However, attacks that target some Windows applications that still use IE are continuously being discovered, so organizations and users need to be extra cautious and update their systems with the latest security patches.”

The attackers first compromised the server of the Korean online advertising agency and injected malicious code in the server’s ad content script. The attack then exploited CVE-2024-38178 to trick victims into downloading malware on their desktops with the toast ad program installed.

In other news, the US Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities (KEV) catalog to add a critical SolarWinds Web Help Desk Hardcoded Credential Vulnerability (CVE-2024-28987), indicating that the issue id being exploited in the wild.