A North Korean threat actor is reportedly using two exploits in Internet Explorer 11 to infect victims with a customized implant in a campaign targeting a South Korean online newspaper, Daily NK.
According to security firm Volexity, the attacks were launched by InkySquid, which is also known by the nicknames APT37 and ScarCruft. They originated from March 2021, and attackers managed to host their malicious code at Daily NK’s website in what is known as strategic web compromise (SWC).
By the use of custom malware and by hiding exploit code behind legitimate code allowed attackers to evade detection, Volexity researchers said.
The attackers hid malformed JavaScript code in jQuery JavaScript libraries of the website. This code was used to exploit two security issues in Internet Explorer that were patched by Microsoft in August 2020:
- CVE-2020-1380 (CVSS score: 7.5) – Scripting Engine Memory Corruption Vulnerability
- CVE-2021-26411 (CVSS score: 8.8) – Internet Explorer Memory Corruption Vulnerability
The attackers’ goal was to deploy a Cobalt Strike stager and novel backdoor called BLUELIGHT.
The two flaws were exploited in the wild, and one of them was used by North Korean hackers to infiltrate a security research group working on vulnerability research in January this year.
BLUELIGHT is a secondary payload that is used by attackers after the launch Cobalt Strike. It is a remote access tool that enables complete system access.
The malware can gather system metadata and information related to installed antivirus products. It can also execute shellcode, steal passwords from various browser platforms, and install arbitrary files.
“While SWCs are not as popular as they once were, they continue to be a weapon in the arsenal of many attackers,” the researchers noted. “The use of recently patched exploits for Internet Explorer and Microsoft Edge will only work against a limited audience.”
