North Korean hackers from the group APT37 have exploited a zero-day vulnerability in Internet Explorer to deploy the RokRAT malware. The campaign compromised Windows devices over the past summer. APT37, also known as Reaper, used a compromised domestic advertisement agency to inject malicious code into Toast pop-up ads.
These ads were exploited to display notifications that triggered the deployment of RokRAT without any user interaction. The state-sponsored hackers targeted the ad agency’s server. They injected vulnerability code into the script that renders ad content.
This resulted in a zero-click attack, allowing RokRAT to be deployed silently. Microsoft officially dropped support for Internet Explorer 11 in June 2022. However, some legacy applications still depend on the outdated browser.
This reliance creates security risks, especially when vulnerable components remain in use.
ScarCruft exploits Windows zero-day
AhnLab and the National Cyber Security Centre (NCSC) discovered and reported the vulnerability to Microsoft.
Microsoft released a patch for the zero-day flaw in response. However, experts advise continued vigilance and regular security updates to mitigate the risk of cyberattacks. Cybersecurity experts stress the importance of keeping all systems updated with the latest security patches.
They also recommend avoiding the use of software libraries and modules with known vulnerabilities. Organizations are encouraged to move away from legacy software that no longer receives security updates. Engaging in best practices for cybersecurity resilience is also crucial.
The recent exploitation of the Internet Explorer vulnerability highlights ongoing threats posed by legacy software. It also showcases the capabilities of state-sponsored hacking groups like APT37. Ensuring that systems are up-to-date and secure is key in defending against cyber threats and protecting sensitive information.
