Korean hackers spread viruses through Internet Explorer

North Korean hackers have found a way to distribute malware through the old Internet Explorer browser. Although this browser has been officially disabled, its components continue to exist thanks to a special mode in Microsoft Edge. The attack occurs without any participation from the user.

Image Source: Rubaitul Azad/Unsplash

According to a joint report from South Korea’s National Cyber ​​Security Center (NCSC) and local IT security provider AhnLab, attackers used a previously unknown zero-day vulnerability in Internet Explorer to distribute malware to users in South Korea. Despite disabling Internet Explorer on Windows PCs, elements of the browser function through third-party applications installed on the computer, and there is also an IE mode in the Edge browser, thereby opening the door to attack, PCMag explains.

The incident occurred in May of this year. A group of hackers known as APT 37 or ScarCruft exploited an Internet Explorer vulnerability to carry out large-scale malicious activities. According to a report from NCSC and AhnLab, hackers compromised the server of a South Korean online advertising agency, which allowed them to download malicious code through pop-up advertising windows. “This vulnerability is exploited when adware downloads and displays advertising content,” says the AhnLab report. “The result is a zero-click attack that requires no user interaction.”

Image source: AhnLab

The researchers also noted that many South Korean users install free software such as antivirus and other utilities that display an advertising window in the bottom right corner of the screen. However, the problem is that such programs often use modules associated with Internet Explorer, which allowed hackers to distribute RokRAT malware, designed to execute remote commands and steal data from victims’ computers.

In August, Microsoft released a patch to fix a zero-day vulnerability coded CVE-2024-38178. However, as BleepingComputer notes, there is a risk that hackers may find other ways to exploit Internet Explorer components as they continue to be used in Windows and third-party applications.