Country of Origin: Likely from East Asia (speculated), with no firm attribution yet.
Motivation: Primarily espionage and financially motivated attacks, potentially involving data theft, ransomware, and phishing campaigns.
First Observed: Emerging actor with sightings in 2023.
Tactics, Techniques, and Procedures (TTPs):
Tactics: Espionage and data exfiltration, targeted attacks against critical infrastructure and financial institutions.
Techniques: Spear-phishing, exploitation of public vulnerabilities, and the use of malware payloads for financial gain.
Tools Used: A range of custom malware and known publicly available exploitation frameworks, specifics not fully detailed yet.
Associated Sectors Targeted:
Financial Services
Government (Critical Infrastructure)
Aerospace & Defense
Operations:
Primary Campaigns: Spear-phishing campaigns using advanced malware loaders and ransomware, targeting sensitive industries like finance and government sectors.
Recent Activities: Engagements have been focused on leveraging zero-day vulnerabilities and financial extortion through ransomware deployment.
TA-RedAnt, a North Korean threat actor, has been observed by ASEC researchers and South Korea’s National Cyber Security Center (NCSC) exploiting a previously unknown zero-day vulnerability in Microsoft Internet Explorer, tracked as CVE-2024-38178. This memory corruption vulnerability was part of a broader cyber-espionage campaign dubbed Operation Code on Toast.
The campaign targets a specific toast ad program that comes bundled with various free software. By exploiting this program, the attackers can ultimately deliver RokRAT, a remote access trojan known to be used by North Korean actors in cyber espionage efforts. RokRAT enables the actor to remotely control compromised systems, steal sensitive data, and potentially deploy additional payloads for further malicious activity.
The exploitation of this Internet Explorer vulnerability showcases the continued use of legacy software vulnerabilities by state-sponsored actors like TA-RedAnt, aiming to target less-protected systems still using outdated technologies.
Key Details:
Vulnerability: CVE-2024-38178 (Memory corruption in Internet Explorer)
Malware Delivered: RokRAT
Campaign Name: Operation Code on Toast
Target Method: A toast ad program bundled with free software
Implications: Data exfiltration, remote system control, further payload delivery.
This campaign highlights the importance of keeping software up-to-date and patching vulnerabilities promptly, even in legacy systems that may no longer be in widespread use.
Attribution:
Speculated Geopolitical Ties: Likely to be from East Asia; however, no definitive attribution to North Korea (DPRK) or any other specific state has been made.
dropboxusercontent.com (RokRAT is known to use cloud services like Dropbox, Google Drive for C2 communication)
Command-and-Control (C2) IP Addresses:
103.243.17.152
104.28.0.102
Malicious Filenames:
Document.rtf
List.docx
update.exe
Known Malware Artifacts:
RokRAT is typically delivered via malicious Microsoft Office attachments (like .doc, .xls, .rtf files) that exploit vulnerabilities to download the malware.
The malware also uses legitimate cloud storage services for its command-and-control communication, making detection more difficult.
These IOCs represent common markers of RokRAT infections and should be added to security detection tools (SIEM, EDR, etc.) to monitor for possible compromises. For continuous monitoring, ensure your threat feeds are updated regularly.
Unknown; phishing campaigns are typical of this group, so spear-phishing emails likely play a role.
MITRE ATT&CK Techniques:
Tactic
Technique
ID
Initial Access
Spear-phishing via malicious links
T1566.001
Execution
Command-line interface
T1059
Persistence
Scheduled Task/Job
T1053.005
Privilege Escalation
Exploitation of Vulnerabilities
T1068
Defense Evasion
Obfuscated Files or Information
T1027
Credential Access
Credential Dumping
T1003
Discovery
System Information Discovery
T1082
Lateral Movement
Remote Services
T1021
Collection
Data from Local System
T1005
Exfiltration
Exfiltration Over Command and Control
T1041
Impact
Data Encrypted for Impact (Ransomware)
T1486
Mitigation & Recommendations:
Patch Management: Ensure that all systems are patched regularly, especially against known vulnerabilities exploited in the wild.
Advanced Phishing Defense: Strengthen email gateway defenses to identify and block spear-phishing attempts.
Endpoint Detection and Response (EDR): Deploy and regularly monitor EDR solutions to detect lateral movements and command execution.
Network Segmentation: Segregate critical infrastructure from less secure areas of the network to minimize potential damage from successful intrusions.
Regular Backups: Ensure regular backups of sensitive and critical data to mitigate the impact of ransomware attacks.
This threat actor remains under continuous observation by various cybersecurity organizations, and new intelligence will provide clearer attribution and IOCs as their campaigns evolve.