DPRK Uses Microsoft Zero-Day in No-Click Toast Attacks

The Code-on-Toast supply chain cyberattacks by APT37 delivered data-stealing malware to users in South Korea who had enabled Toast pop-up ads.

The North Korea-backed advanced persistent threat
known as APT37
exploited a zero-day vulnerability in Microsofts Internet Explorer Web browser over the summer, using it to mount a zero-click supply chain campaign on South Korean targets, researchers revealed.
While IE reached end of life in 2022 and many organizations dont use it anymore, there are plenty of legacy applications that do. In this case,
APT37
(aka RedAnt, RedEyes, ScarCruft, and Group123) specifically targeted a Toast ad program that is usually installed alongside various free software, according to AhnLab SEcurity intelligence Center (ASEC). Toasts are pop-up notifications that appear at the right-bottom of a PC screen.
Many Toast ad programs use a feature called WebView to render Web content for displaying ads, according to AhnLab researchers. However, WebView operates based on a browser. Therefore, if the program creator used IE-based WebView to write the code, IE vulnerabilities could also be exploited in the program.
According to AhnLabs analysis released last week, the state-sponsored cyberattack group compromised an ad agency, and then used the bug, tracked as
CVE-2024-38178
(CVSS 7.5), to inject malicious code into the Toast script the agency uses to download ad content to peoples desktops. Instead of ads, the script began delivering malware.
This vulnerability is exploited when the ad program downloads and renders the ad content, the researchers explained in their report on the attack, which they called Code on Toast. As a result, a zero-click attack occurred without any interaction from the user.
The malware delivered is the RokRAT, which APT37 has consistently used in the past.
After infecting the system, various malicious behaviors can be performed, such as remote commands, the researchers noted, adding, In this attack, the organization also uses Ruby to secure malicious activity persistence and performs command control through a commercial cloud server.
The campaign had the potential to cause significant damage, they said, but the attack was detected early. In addition, security measures were also taken against other Toast advertising programs that were confirmed to have the potential for exploitation before the vulnerability patch version was released, according to AhnLab.
Microsoft patched the bug in its August Patch Tuesday update slate, but the continued use of IE as a built-in component or related module within other applications remains a concerning attack vector, and an incentive for hackers to continue to acquire
IE zero-day vulnerabilities
.
Such attacks are not only difficult to defend against with users attention or antivirus, but can also have a large impact depending on the exploited software, AhnLab researchers explained in the report
(PDF
, Korean).
They added, Recently, the technological level of North Korean hacking groups is becoming more advanced, and attacks that exploit various vulnerabilities other than IE are gradually increasing.
Accordingly, users should make sure to keep operating systems and software up to date, but software manufacturers should also be careful not to use development libraries and modules that are vulnerable to security when developing products, they concluded.
Translation provided by Google Translate.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
DPRK Uses Microsoft Zero-Day in No-Click Toast Attacks