- Vulnerable U
- Posts
- Microsoft Scripting Engine Flaw Exploited in Malware Attacks
Microsoft Scripting Engine Flaw Exploited in Malware Attacks
The (now-patched) Microsoft flaw was being exploited by North Korean threat actors earlier this year, according to a new alert.
Earlier this year, a North Korean threat actor compromised a Korean online advertising agency server, and leveraged a Microsoft memory corruption vulnerability in the Scripting Engine (CVE-2024-38178) to push malicious advertisements and download malware. The attack was launched earlier this year and patches for the flaw have since been released by Microsoft in August, but researchers with AhnLab and South Korea’s National Cyber Security Center (NCSC) disclosed details of the campaign in a post today.
Key Details:
The threat actor attacked an unnamed online advertising agency’s server and injected code into the server’s ad content script
The attack specifically utilized toast ad programs, which are types of pop-up notification ads for desktop screens. The toast ad programs in the attack were using Internet Explorer browser engines vulnerable to CVE-2024-38178, which stems from a type confusion issue where one type of data is treated like another within the optimization process of IE’s Javascript engine
“This vulnerability is exploited when the ad program downloads and renders the ad content. As a result, a zero-click attack occurred without any interaction from the user,” according to AhnLab researchers
The Big Picture: Microsoft ended support for IE in June 2022, but as we see in this attack (and other campaigns this year), threat actors are still finding success targeting IE vulnerabilities. In this case, the attack stems from the fact that many toast ad programs use a component called WebView for rendering web content when displaying the ads. Because WebView operates based on a browser, if a program creator uses an IE-based WebView to write code, IE flaws could be exploited in this program, said AhnLab researchers.
“Attacks that target some Windows applications that still use IE are continuously being discovered, so organizations and users need to be extra cautious and update their systems with the latest security patches,” said AhnLab researchers.
The Threat Actor: AhnLab and NCSC attributed this campaign to North Korean threat actor TA-RedAnt (also known as ScarCruft and APT37). The actor is known for other attacks that have leveraged IE vulnerabilities. The group has also previously targeted North Korean defectors and experts in North Korean affairs.
Vendor Response: After AhnLab and NCSC reported the vulnerability to Microsoft, Microsoft on Aug. 13 disclosed the flaw as a scripting engine memory corruption issue that could enable remote code execution, and released a patch. According to Microsoft, “successful exploitation of this vulnerability requires an attacker to first prepare the target so that it uses Edge in Internet Explorer Mode.”