APT

NK-linked InkySquid APT leverages IE exploits in recent attacks

North Korea-linked InkySquid group leverages two Internet Explorer exploits to deliver a custom implant in attacks aimed at a South Korean online newspaper.

Experts from cybersecurity firm Volexity reported that North Korea-linked InkySquid group (aka ScarCruft, APT37, Group123, and Reaper) leverages two Internet Explorer exploits to deliver a custom backdoor in watering hole attacks aimed at the Daily NK South Korean online newspaper (www.dailynk[.]com).

APT37 has been active since at least 2012, it mainly targeted government, defense, military, and media organizations in South Korea.

The watering hole attacks on the Daily NK was conducted from March 2021 until early June 2021.

“The use of recently patched exploits for Internet Explorer and Microsoft Edge will only work against a limited audience.” reads the post published by Volexity. “Attackers will still have some success, however, and have a good chance of avoiding detection based on the following attributes of their attack:

  • Clever disguise of exploit code amongst legitimate code, making it harder to identify
  • Only allowing exploitable user-agents access to the exploit code, making it difficult to identify at scale (such as through automated scanning of websites)
  • Use of innovative custom malware, such as BLUELIGHT, after successful exploitation using C2 mechanisms which are unlikely to be detected by many solutions”

The researchers discovered a suspicious code that was loaded via www.dailynk[.]com to malicious subdomains of jquery[.]services. Below some examples of URLs used to load malicious code:

  • hxxps://www.dailynk[.]com/wp-includes/js/jquery/jquery.min.js?ver=3.5.1
  • hxxps://www.dailynk[.]com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2

The attackers modified the content of legitimate files used by the website and included the code to redirect users to load malicious JavaScript from the attacker-owned domain jquery[.]services. The attackers included the malicious code only for short periods of time making hard the detection of the attack.

The threat actors leverage exploits for two Internet Explorer vulnerabilities, tracked as CVE-2020-1380 and CVE-2021-26411, that were respectively patched in August 2020 and March 2021.

CVE-2020-1380 is a Scripting Engine Memory Corruption Vulnerability that received a CVSS score of 7.5, while the CVE-2021-26411 was an Internet Explorer Memory Corruption vulnerability that received a CVSS score of 8.8.

Both vulnerabilities have been actively exploited in the wild by threat actors and the CVE-2021-26411 was already exploited by North Korean APT groups in attacks aimed at security researchers working on vulnerability research in January.

According to the experts, BLUELIGHT is used as a second-stage payload after the successful delivery of the initial Cobalt Strike payload.

BLUELIGHT was used to gather intelligence on the infected system and to provide remote access to the attackers, it supports the following commands:

  • Execute downloaded shellcode.
  • Download and launch an executable, then upload program output.
  • Harvest cookies and a password database for supported browsers.
    — Supports: Win7 IE, Win10 IE, Edge, Chrome, and Naver Whale
  • Recursively search a path and upload file metadata (timestamps, size, and full path).
  • Spawn a thread to recursively search a path and upload files as a ZIP archive.
  • Terminate the file upload thread.
  • Uninstall the implant.

“While SWCs are not as popular as they once were, they continue to be a weapon in the arsenal of many attackers. The use of recently patched exploits for Internet Explorer and Microsoft Edge will only work against a limited audience. Attackers will still have some success, however, and have a good chance of avoiding detection base” concludes the experts.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, InkySquid)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

6 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

17 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

21 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.