NIX Solutions: North Korean Hackers Exploit IE Vulnerability

North Korean hackers have found a way to spread malware by leveraging the old Internet Explorer browser. Although Internet Explorer (IE) has been officially disabled, some of its components persist within Microsoft Edge through a special compatibility mode. This attack method operates without any user interaction.

NIX Solutions

According to a joint report by South Korea’s National Cyber Security Center (NCSC) and the local IT security vendor AhnLab, attackers exploited a previously unknown zero-day vulnerability in Internet Explorer to target users in South Korea. Despite the deactivation of IE in Windows, its elements remain accessible through third-party software and the IE mode available in Microsoft Edge. This opens a potential route for malicious actors, as explained by PCMag.

Large-Scale Malware Campaign Detected

The incident occurred in May, when the hacker group known as APT 37, or ScarCruft, used the IE vulnerability to distribute malware. The attackers compromised a server belonging to a South Korean online advertising agency, injecting malicious code into pop-up ads. AhnLab reported that this zero-click attack requires no user interaction. “The vulnerability is exploited when the adware downloads and displays the advertising content,” the security firm explained.

Many South Korean users unknowingly expose themselves to such risks by installing free software like antivirus programs or utilities that generate ad windows in the bottom-right corner of the screen. These programs often rely on Internet Explorer components, allowing hackers to distribute the RokRAT malware, designed to execute remote commands and steal sensitive data from infected computers, notes NIX Solutions.

Patch Released, but Risks Remain

In August, Microsoft released a patch, CVE-2024-38178, to address the IE zero-day vulnerability. However, BleepingComputer warns that hackers may still find ways to exploit Internet Explorer components, as these remain in use across Windows and some third-party applications. We’ll keep you updated on any new developments.