Despite being officially retired, Internet Explorer (IE) continues to pose a threat to users, with North Korean hackers exploiting vulnerabilities in the outdated browser to spread malware. Recent security research uncovered that the hacking group APT 37, also known as ScarCruft, launched a large-scale cyberattack in May using a zero-day vulnerability in Internet Explorer. Although Microsoft disabled the browser in 2022, remnants of IE still linger in Windows PCs, creating opportunities for cybercriminals to exploit the software.
The cyberattack began when the North Korean hacking group exploited a zero-day vulnerability in Internet Explorer to target users in South Korea. The findings come from South Korea’s National Cyber Security Center (NCSC) and the IT security provider AhnLab, which published a joint report detailing the incident.
The attack was made possible due to Internet Explorer’s continued presence in modern Windows PCs. While IE has been officially disabled, it lives on through Microsoft’s Edge browser via a special IE mode, as well as through third-party modules that still rely on Internet Explorer’s underlying components. This made it easier for the hackers to exploit the outdated browser and distribute malicious software.
In this case, the hackers gained access to a South Korean online advertising agency’s server, which allowed them to inject malicious code into a pop-up ad. The pop-up then downloaded and executed the malware on the victim’s computer without requiring any user interaction—what security experts refer to as a “zero-click attack.” This type of attack is especially dangerous because it does not require users to click on a link or open a file to become infected.
How Hackers Used Internet Explorer to Deliver Malware
The vulnerability in Internet Explorer allowed the hackers to deliver a powerful malware known as RokRAT. RokRAT is a Windows-based malware that can execute remote commands on an infected computer and steal sensitive data, such as files, keystrokes, and system information. This malware has been used in previous cyber espionage campaigns attributed to North Korean hacking groups, primarily targeting South Korean government agencies, businesses, and individuals.
According to the security report, the hackers exploited the fact that many South Korean users often install free software that includes pop-up advertisements. These free programs, including antivirus software and other utilities, sometimes use Internet Explorer or “IE-related modules” to serve these ads. This reliance on outdated technology gave the hackers a foothold to deploy the malware through pop-up windows associated with these programs.
The attack also highlights the risks associated with using unsupported or outdated software. Even though Internet Explorer has been officially retired, its components are still embedded in various Windows systems, allowing hackers to exploit vulnerabilities in these lingering modules. While Microsoft has worked to phase out IE, the reliance of certain applications and systems on its components continues to pose a security risk.
Microsoft’s Response: Patching the Vulnerability
In response to the attack, Microsoft acted quickly, releasing a patch for the zero-day flaw in August. The vulnerability, labeled CVE-2024-38178, was fixed as part of the company’s regular security updates, helping to protect users from future exploits of the same vulnerability.
However, as security experts have pointed out, the patch may not be enough to fully eliminate the threat posed by Internet Explorer. Despite Microsoft’s efforts, hackers may continue to find ways to exploit the remnants of the outdated browser. The browser’s components remain in use by third-party modules, some of which are essential for certain enterprise applications and software systems.
BleepingComputer, a cybersecurity news platform, also warned that the incident underscores the broader issue of unsupported software in use across many organizations. Even though Microsoft is working to eliminate Internet Explorer from its systems, the fact that some software still relies on IE components creates an ongoing security risk for users.
The recent attack on South Korean users is a stark reminder of the dangers posed by outdated software, even when it is no longer actively in use. Hackers are constantly searching for vulnerabilities in old and unsupported software, and Internet Explorer is no exception. Even though it has been officially retired, its components continue to provide cybercriminals with opportunities to exploit unsuspecting users.
Security researchers have repeatedly warned users and organizations about the risks associated with using unsupported software. In the case of Internet Explorer, businesses and individuals that still rely on IE-related modules need to take proactive steps to protect their systems. This includes regularly updating software, applying security patches as soon as they are available, and migrating to more secure browsers and technologies that are actively supported by their developers.
For Microsoft, the challenge is to fully eliminate Internet Explorer from its systems while ensuring that legacy applications that still rely on the browser can transition to more secure alternatives. Until then, users remain at risk of future attacks that exploit the lingering remnants of the once-dominant browser.
While Microsoft’s patch for the CVE-2024-38178 vulnerability has addressed the immediate threat, the incident raises concerns about the broader risks associated with using outdated or unsupported technology. Hackers will continue to target vulnerable software, and it is critical for organizations to stay vigilant.
For users, the best way to protect against these threats is to ensure that their systems are up-to-date with the latest security patches and to avoid relying on obsolete software. With Internet Explorer now officially retired, the focus must shift toward ensuring that all legacy applications and systems using IE components are properly secured or replaced with modern alternatives.
In the meantime, cybersecurity professionals will continue to monitor for new vulnerabilities and exploits that target these outdated systems. As this latest attack shows, even “dead” software can still be a tool for hackers if it is not properly secured.