Experts from cybersecurity firm Volexity reported that North Korea-linked InkySquid group (aka ScarCruft, APT37, Group123, and Reaper) leverages two Internet Explorer exploits to deliver a custom backdoor in watering hole attacks aimed at the Daily NK South Korean online newspaper (www.dailynk[.]com).
APT37 has been active since at least 2012, it mainly targeted government, defense, military, and media organizations in South Korea.
The watering hole attacks on the Daily NK was conducted from March 2021 until early June 2021.
“The use of recently patched exploits for Internet Explorer and Microsoft Edge will only work against a limited audience.” reads the post published by Volexity. “Attackers will still have some success, however, and have a good chance of avoiding detection based on the following attributes of their attack:
The researchers discovered a suspicious code that was loaded via www.dailynk[.]com to malicious subdomains of jquery[.]services. Below some examples of URLs used to load malicious code:
The attackers modified the content of legitimate files used by the website and included the code to redirect users to load malicious JavaScript from the attacker-owned domain jquery[.]services. The attackers included the malicious code only for short periods of time making hard the detection of the attack.
The threat actors leverage exploits for two Internet Explorer vulnerabilities, tracked as CVE-2020-1380 and CVE-2021-26411, that were respectively patched in August 2020 and March 2021.
CVE-2020-1380 is a Scripting Engine Memory Corruption Vulnerability that received a CVSS score of 7.5, while the CVE-2021-26411 was an Internet Explorer Memory Corruption vulnerability that received a CVSS score of 8.8.
Both vulnerabilities have been actively exploited in the wild by threat actors and the CVE-2021-26411 was already exploited by North Korean APT groups in attacks aimed at security researchers working on vulnerability research in January.
According to the experts, BLUELIGHT is used as a second-stage payload after the successful delivery of the initial Cobalt Strike payload.
BLUELIGHT was used to gather intelligence on the infected system and to provide remote access to the attackers, it supports the following commands:
“While SWCs are not as popular as they once were, they continue to be a weapon in the arsenal of many attackers. The use of recently patched exploits for Internet Explorer and Microsoft Edge will only work against a limited audience. Attackers will still have some success, however, and have a good chance of avoiding detection base” concludes the experts.
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, InkySquid)
[adrotate banner=”5″]
[adrotate banner=”13″]