The “Toast” advertisement program that is frequently included in bundles with other free software is the specific vulnerability that defines a zero-day attack. In Korea, pop-up notifications that show up at the bottom of the PC screen, usually in the lower-right corner, are referred to as “Toast” adverts. According to the attack chain outlined by the researchers, the threat actors broke into the server of a domestic advertising agency that isn't named but provides content for the Toast commercials. They intended to insert exploit code into the advertisement content's script.

When the Toast application downloads and renders the booby-trapped content from the server, it is deemed to have caused the vulnerability. The attacker focused on a particular toast application that downloads advertisement content using an unsupported Internet Explorer module. Due to this vulnerability, data types are incorrectly interpreted by the JavaScript Engine of Internet Explorer (jscript9.dll), leading to a type confusion error. By using this vulnerability, the attacker was able to infect computers running the vulnerable toast application. PCs were the target of numerous nefarious activities, including remote access, after they became infected.

The most recent version of RokRAT can gather information from a variety of apps, including KakaoTalk and WeChat, and browsers, including Chrome, Edge, Opera, Naver Wales, and Firefox. It can also enumerate files, end arbitrary processes, receive and execute commands from a remote server, and more. Notably, RokRAT may blend in with normal traffic in corporate environments since it uses reputable cloud services as its command-and-control server, such as Dropbox, Google Cloud, pCloud, and Yandex Cloud.

ScarCruft has a history of using the outdated browser's vulnerabilities as a weapon to distribute further malware. It has been linked to the exploitation of CVE-2020-1380, a memory corruption vulnerability in the Scripting Engine, as well as CVE-2022-41128, a Windows Scripting Languages remote code execution vulnerability, in recent years. North Korean threat groups have become more sophisticated technologically, and they are now leveraging other vulnerabilities than just Internet Explorer. Users should therefore upgrade their software security and operating system.

Impact

• Remote Code Execution
• Unauthorized Access
• Sensitive Data Theft

Indicators of Compromise

MD5

• e11bb2478930d0b5f6c473464f2a2b6e
• bd2d599ab51f9068d8c8eccadaca103d

SHA-256

• 736092b71a9686fde43d3c4abd941a6774721b90b17d946c9d05af19c84df0a4
• 95a19bb2cc53c2ff2edff89161acb9c50ea450fa8a53bbddde2ca3007b1a1345

SHA-1

• 9a17d9b44af34aca4e94242c54e001d761993763
• f0891b2fd83037f982acfaac17dcd77b091534db

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure that general security policies are employed including implementing strong passwords, correct configurations, and proper administration security policies.
• Enable two-factor authentication.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Deploy advanced threat detection solutions that can identify and analyze suspicious activities, patterns, and behaviors across your network and endpoints. Utilize intrusion detection systems (IDS), intrusion prevention systems (IPS), and next-generation firewalls to proactively monitor and block malicious activities.
• Implement network segmentation to compartmentalize sensitive systems and data.
• Strengthen email security protocols to identify and block phishing attempts. Train employees to recognize suspicious emails and attachments, and employ email filtering technologies to reduce the likelihood of successful spear-phishing attacks.
• Regularly update and patch all software, applications, and operating systems to minimize potential entry points for cyber attackers.
• Enforce MFA across your organization to add an extra layer of security to user accounts and critical systems.
• Deploy advanced endpoint security solutions that offer real-time threat detection and response. This includes antivirus software, endpoint detection and response (EDR) tools, and behavioral analysis to identify suspicious activities.
• Ensure that systems are securely configured and hardened following industry best practices. Disable unnecessary services, ports, and protocols to reduce the attack surface.
• Develop and regularly update an incident response plan that outlines the steps to be taken in the event of a cyber attack. This plan should include communication protocols, roles and responsibilities, and procedures for containing and mitigating the attack.
• Conduct regular security audits and penetration testing to identify vulnerabilities and weaknesses in your systems and infrastructure.
• Assess the security practices of third-party vendors and suppliers who have access to your network. Ensure they adhere to robust cybersecurity standards to prevent potential supply chain attacks.