THREAT CAMPAIGN: APT37’S EXPLOITATION OF CVE-2024–38178 IN THE WINDOWS SCRIPTING ENGINE

John C
3 min readOct 22, 2024

--

On August 13, 2024, Microsoft released a patch addressing a critical vulnerability, CVE-2024–38178, as part of its August Patch Tuesday. This vulnerability resides in JScript9.dll, the engine responsible for executing JavaScript in legacy web components on Windows systems. It is classified as a type confusion vulnerability, where the JIT engine (Just-In-Time) performs incorrect optimizations on variables, leading to potential code execution flaws.

Interestingly, this vulnerability can bypass the patch for CVE-2022–41128, another JScript-related flaw exploited by threat actors linked to North Korea in 2022. Given that CVE-2022–41128 was extensively analyzed and made publicly available, attackers have rapidly weaponized this new vulnerability to execute remote code on targeted Windows systems.

Exploitation by APT37 (InkySquid)

In June 2024, APT37 — a North Korean-aligned threat actor also known as InkySquid, ScarCruft, Reaper, and TEMP.Reaper — was observed exploiting CVE-2024–38178 in targeted attacks against organizations in South Korea. This particular campaign is a continuation of APT37’s long-standing tactics, techniques, and procedures (TTPs) aimed at espionage and intellectual property theft.

In this campaign, the attacker employed a social engineering technique to mimic a legitimate ad agency service provider’s domain, targeting a specific software vendor. After successfully registering a deceptive domain, the attacker leveraged this fake service to infiltrate the vendor’s ad pop-up process, which utilized legacy WebView. The WebView component, reliant on the vulnerable JScript9 engine, executed the attacker’s injected JavaScript payload, leading to an in-the-wild exploitation of CVE-2024–38178.

Attack Details and Payload Delivery

The exploit targeted Windows users, specifically using obfuscated JavaScript embedded within the malicious ad pop-up pages. Since the ad pop-up event was triggered automatically when victims launched the compromised software, the attacker had an ideal opportunity to execute the vulnerability without any additional user interaction.

Once the vulnerability was exploited, arbitrary code execution was achieved, allowing APT37 to initiate the download of a sophisticated malware suite. This malware payload consisted of:

  • A Ruby engine
  • A Ruby script
  • An encrypted file that was decrypted and executed by the Ruby script.

After decryption, the malware used two executables from the system32 directory to inject the final payload, RokRAT, into the system’s memory. This two-stage injection ensured persistence and evasion from traditional detection methods.

Command and Control (C2) Channels

The Command and Control (C2) infrastructure used in this attack aligned with previous campaigns by APT37. The attackers utilized popular cloud services like Yandex and PCloud to establish and maintain communication with the infected machines. These services provided the attackers with the necessary bandwidth and anonymity to conduct their operations covertly, consistent with APT37’s typical TTPs.

This attack demonstrates APT37’s advanced capabilities in leveraging newly discovered vulnerabilities and sophisticated malware to achieve its objectives. Organizations, particularly in South Korea, must remain vigilant and ensure timely patching of vulnerable systems.

Malware execution flow

Recommendations:

  • Apply the August 2024 Patch Tuesday updates, including the fix for CVE-2024–38178, immediately.
  • Ensure robust monitoring of JavaScript executions within legacy web components.
  • Use threat intelligence platforms to stay updated on North Korean-linked activity, especially regarding APT37.

For a detailed technical analysis, refer to the official report.

--

--

John C

Technologist and technical leader skilled in Cyber Incident Response, Computer Forensics, and Security and Detection Engineering.