Unmasking CVE-2024-38178: The Silent Threat of Windows Scripting Engine
2024-10-16 • S2W •
S2W analyzes CVE-2024-38178, a JScript9.dll type-confusion flaw patched by Microsoft in August 2024 and exploited in June against specific South Korean organizations. The activity is attributed in the source to APT37, also tracked as ScarCruft, and abused an ad pop-up process in software from a South Korean vendor to run attacker-controlled JavaScript with no further user interaction. The exploit bypassed the earlier CVE-2022-41128 patch and enabled remote code execution on Windows systems. The follow-on chain downloaded a Ruby engine, Ruby script, and encrypted payload, then decrypted and injected RokRAT in memory with cloud-storage C2 over Yandex or pCloud.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 09994a03b0a04853894f5d70b3afe85e | 2024-10-16 | 2024-10-16 |
| HASH | e11bb2478930d0b5f6c473464f2a2b6e | 2024-10-16 | 2024-10-16 |
| URL | https://mini.gomlab.com/player/… | 2024-10-16 | 2024-10-16 |
| DOMAIN | mini.gomlab.com | 2024-10-16 | 2024-10-16 |
| IPv4 | 1.0.0.8 | 2024-10-16 | 2024-10-16 |
| IPv4 | 4.2.3.14 | 2024-10-16 | 2024-10-16 |
| HASH | f6906de00a124b9fadee90722bf854c2 | 2023-07-26 | 2024-10-16 |