Infected ads used IE leak for 'zero-click' malware infection

[nicolaasjan]

Content source

https://www.security.nl/posting/862319/Besmette+advertenties+gebruikten+IE-lek+voor+%27zero-click%27+malware-infectie

Translated:

Attackers have recently used compromised advertisements to infect Windows users without any interaction with malware. A vulnerability in Internet Explorer (IE) was used. Microsoft released Last August, updates for the vulnerability ( CVE-2024-38178 ), which was actively exploited before the patches were released. This was reported by antivirus company AhnLab and the South Korean National Cyber Security Center (NCSC).
Internet Explorer is disabled in Windows, but is still present in the operating system. Applications can also still use Internet Explorer. The attackers targeted a specific advertising program that is installed with all kinds of free software and shows all kinds of advertisements. This advertising program uses an IE-based WebView to display advertisements.
Vulnerabilities in Internet Explorer can be exploited via such a WebView. The attackers took advantage of this by compromising a South Korean advertising company to distribute infected advertisements. These advertisements were automatically displayed via the vulnerable advertising program, where the malicious code in the advertisements was automatically executed thanks to the IP leak. No interaction from victims was required.
The infected advertisements installed the RokRAT malware that steals various files from the system and sends them back to the attackers. The malware also stores keystrokes, monitors the clipboard and takes screenshots. According to South Korean authorities and AhnLab, the attack is the work of a North Korean group called StarCruft and APT37.

 

[Gandalf_The_Grey]

The same news on BleepingComputer:

Despite Microsoft announcing Internet Explorer's retirement in mid-2022, many of the browser's components remain in Windows or are used by third-party software, allowing threat actors to discover new vulnerabilities for use in attacks.

This may be happening without the users even realizing they're on outdated software that can be easily exploited for zero-click attacks, laying the ground for mass-scale exploitation by knowledgeable threat actors.

What makes this worse is that even though Microsoft fixed this particular Internet Explorer flaw in August, it does not guarantee that it will be adopted immediately by tools using older components. Therefore, free software using outdated Internet Explorer components continues to put users at risk.

BleepingComputer asked ASEC about the number of impacted users and the name of the exploited free software, and we will update you with more information once available.

Malicious ads exploited Internet Explorer zero day to drop malware

The North Korean hacking group ScarCruft launched a large-scale attack in May that leveraged an Internet Explorer zero-day flaw to infect targets with the RokRAT malware and exfiltrate data.

www.bleepingcomputer.com