NK Hackers Deploy Browser Exploits on South Korean Media Site to Steal Information

NK Hackers Deploy Browser Exploits on SK Media Site to Steal Information

A North Korean threat actor is reportedly using two exploits in Internet Explorer 11 to infect victims with a customized implant in a campaign targeting a South Korean online newspaper, Daily NK.

According to security firm Volexity, the attacks were launched by InkySquid, which is also known by the nicknames APT37 and ScarCruft. They originated from March 2021, and attackers managed to host their malicious code at Daily NK’s website in what is known as strategic web compromise (SWC).

By the use of custom malware and by hiding exploit code behind legitimate code allowed attackers to evade detection, Volexity researchers said.

The attackers hid malformed JavaScript code in jQuery JavaScript libraries of the website. This code was used to exploit two security issues in Internet Explorer that were patched by Microsoft in August 2020:

  • CVE-2020-1380 (CVSS score: 7.5) – Scripting Engine Memory Corruption Vulnerability
  • CVE-2021-26411 (CVSS score: 8.8) – Internet Explorer Memory Corruption Vulnerability

The attackers’ goal was to deploy a Cobalt Strike stager and novel backdoor called BLUELIGHT.

The two flaws were exploited in the wild, and one of them was used by North Korean hackers to infiltrate a security research group working on vulnerability research in January this year.

BLUELIGHT is a secondary payload that is used by attackers after the launch Cobalt Strike. It is a remote access tool that enables complete system access.

The malware can gather system metadata and information related to installed antivirus products. It can also execute shellcode, steal passwords from various browser platforms, and install arbitrary files.

“While SWCs are not as popular as they once were, they continue to be a weapon in the arsenal of many attackers,” the researchers noted. “The use of recently patched exploits for Internet Explorer and Microsoft Edge will only work against a limited audience.”

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.