Keypoints
- A zero-day vulnerability in Microsoft Internet Explorer’s JavaScript engine (jscript9.dll) was discovered and exploited.
- The North Korean threat actor TA-RedAnt is attributed to the operation called “Operation Code on Toast.”
- Attackers injected exploit code into an online advertising agency’s ad content script to weaponize ad delivery.
- The exploit targeted toast ad programs that use IE-based WebView, enabling a zero-click compromise when ads were rendered.
- The vulnerability is a type confusion in IE’s JavaScript optimization, allowing arbitrary code execution and subsequent malware download.
- Microsoft issued CVE-2024-38178 (CVSS 7.5) and released a security patch on August 13; users should apply updates promptly.
MITRE Techniques
- [T1078] Valid Accounts – Used conceptually as an initial access vector by exploiting software vulnerabilities rather than legitimate credentials; quote: (‘Exploiting vulnerabilities in software (e.g., IE) to gain access.’)
- [T1203] Exploitation for Client Execution – The attacker executed malicious code through compromised ad content delivered to the victim’s ad-rendering program; quote: (‘Executing malicious code through compromised ad content.’)
- [T1547] Boot or Logon Autostart Execution – The operation may achieve persistence by delivering and installing malware via the toast ad program mechanism; quote: (‘Installing malware via toast ad programs.’)
- [T1071] Application Layer Protocol – Compromised systems could be used to execute remote commands and communicate with operator infrastructure; quote: (‘Using compromised systems to execute remote commands.’)
Indicators of Compromise
- [CVE] Vulnerability identifier – CVE-2024-38178 (Microsoft patch referenced at msrc.microsoft.com)
- [File name / DLL] Vulnerable component – jscript9.dll (IE JavaScript engine)
- [URL] Analysis and advisory links – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38178, https://asec.ahnlab.com/en/83877/
- [Artifacts] Report PDFs – (전체본)공개보고서-OperationCodeonToast.pdf, (요약본)공개보고서-OperationCodeonToast.pdf
TA-RedAnt exploited a type confusion vulnerability in Internet Explorer’s JavaScript engine (jscript9.dll) that occurs when the engine’s optimization mistakenly treats one data type as another. The flaw permits arbitrary code execution during script parsing and was leveraged without user interaction by delivering specially crafted script via ad content rendered in an IE-based WebView.
Attackers compromised an online advertising agency’s ad delivery by injecting exploit code into the ad content script. Toast ad programs installed with various free software used IE-based WebView to render those ads; when the program downloaded and displayed the malicious ad, the jscript9.dll vulnerability triggered a zero-click download and execution of malware on the victim’s desktop.
Post-exploitation behaviors included installation of additional payloads and remote command execution. AhnLab ASEC and the NCSC reported the issue to Microsoft, which issued CVE-2024-38178 (CVSS 7.5) and released a patch on August 13. Organizations should update affected systems, remove or replace applications relying on IE-based WebView, and review ad-supply-chain integrity to mitigate similar attacks.
Read more: https://asec.ahnlab.com/en/83877/