CVE-2024-38178 MS Scripting Engine

Subject: CVE-2024-38178 MS Scripting Engine

Tactics: TA0001 Initial Access

Technique: T1190 Exploit Public-Facing Application

Procedure:

The attacker targeted Windows users running specific software with a built-in web viewer.
They created a domain similar to a legitimate ad agency, serving malicious JavaScript code within their ads.
This domain was then registered with the targeted software vendor, rendering the malicious ads in the software’s ad pop-up process.
When users launched the software, the malicious ads would trigger a type confusion vulnerability (CVE-2024-38178) in the JScript9.dll engine, leading to remote code execution.

Vulnerability: EAV0007 When adversaries interact with engagement environments and personas, their future capability, targeting, and/or infrastructure requirements are vulnerable to influence.

Engagement Opportunity:

Exploits Vulnerability:
- Type Confusion in JScript9.dll (CVE-2024-38178) (ENG-2024-38178)
- Lack of User Awareness
- Lack of Vendor Verification of Ad Content
Engagement Opportunity:
- Set up a system with the vulnerable software version as a honeypot (D3FEND-2024-38178) to capture the attacker’s payload and analyze their further actions.
- Monitor network traffic (D3FEND-NETWORK) for connections to the attacker’s domain and any subsequent malicious activities.

Threat Actor: APT37 (Scarcruft), a North Korea-based threat group

Threat Objective:

Remote code execution on targeted systems
Download and execution of additional malware (RokRAT)
Communication with cloud storage services (Yandex, pCloud) for command and control

Deception Opportunity:

Deploy a decoy web server (D3FEND-DECOY) mimicking the attacker’s C2 infrastructure (Yandex, pCloud) to capture the RokRAT malware and analyze its behavior.
Plant misinformation (D3FEND-MISINFORMATION) within the targeted software or related systems to deter or mislead the attackers.

Sensor Data Placement: Application

Observable Level: Core to Adversary-Brought Tool

Scoring Rationale:

The initial malicious JavaScript payload is specific to the attacker’s tools, while the exploited vulnerability is within a pre-existing system component.
Detecting the exploit requires monitoring both application-level activity within the web viewer and system-level events related to JScript9.dll.

Sensor Data Placement:
- Application (Web viewer within the targeted software)
- User-Mode (JScript9.dll execution)
Observable Level:
- Core to Adversary-Brought Tool (Malicious JavaScript payload)
- Core to Pre-Existing Tool (JScript9.dll vulnerability)

Link to Report: https://www.google.com/url?sa=E&source=gmail&q=https://www.google.com/url?sa=E%26source=gmail%26q=https://www.google.com/url?sa=E%26source=gmail%26q=https://medium.com/s2wblog/unmasking-cve-2024-38178-the-silent-threat-of-windows-scripting-engine-91ad954dbf83

Link to Report II.:

Additional Comments:

This attack highlights the risks associated with legacy components like JScript9.dll, even in modern software.
Regular updates and vendor vigilance are crucial to mitigating such threats.

Possible elements: Deception-as-a-Service (DaaS) Platform, Fake Software Updates

MSG (Pseudocode):

# Malicious Sub-Graph Standard

# Node Format:
# [Node ID]: [Tactic] - [Technique] - [Procedure] ([Observable Level])

# Edge Format:
# [Source Node ID] --> [Destination Node ID] ([Exploited Vulnerability])

# Example: APT37 Attack Graph

[1]: Initial Access (TA0001) - Exploit Public-Facing Application (T1190) - Malicious JavaScript served through compromised ad network (Core to Adversary-Brought Tool)
[2]: Execution (TA0002) - User Execution: Malicious File (T1204) - Trigger type confusion vulnerability (CVE-2024-38178) in JScript9.dll (Core to Pre-Existing Tool)
[3]: Command and Control (TA0011) - Application Layer Protocol: HTTPS (T1071) - Communicate with C2 server using HTTPS (Core to Adversary-Brought Tool)
[4]: Persistence (TA0003) - Create or Modify System Process: Windows Service (T1543.003) - Install RokRAT malware as a Windows service (Core to Some Implementations of (Sub-)Technique)
[5]: Exfiltration (TA0010) - Exfiltration Over C2 Channel (T1041) - Exfiltrate data over HTTPS C2 channel (Core to Sub-Technique or Technique)

1 --> 2 (Type Confusion in JScript9.dll (ENG-2024-38178), Lack of User Awareness)
2 --> 3 (Lack of Network Monitoring)
3 --> 4 (Lack of System Monitoring)
4 --> 5 (Lack of Network Monitoring)

# Pseudocode Standard

# Function Format:
# function [Tactic]_[Technique]([Input]):
# [Procedure]
# return [Output]

# Example: APT37 Pseudocode

function Initial_Access_Exploit_Public-Facing_Application(target_software):
# Compromise ad network to serve malicious JavaScript payload
# Trigger payload through ad pop-up process in target_software
return execution_primitive

function Execution_User_Execution(execution_primitive):
# Exploit CVE-2024-38178 in JScript9.dll to gain remote code execution
return C2_communication_module

function Command_and_Control_Application_Layer_Protocol(C2_communication_module):
# Establish HTTPS connection with C2 server
# Receive commands and download RokRAT malware
return RokRAT_installer

function Persistence_Create_or_Modify_System_Process(RokRAT_installer):
# Install RokRAT as a Windows service
return exfiltration_module

function Exfiltration_Exfiltration_Over_C2_Channel(exfiltration_module):
# Collect and send data to C2 server over HTTPS
return success

Leave a Reply Cancel reply

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense