A North Korean threat actor has been discovered taking advantage of two exploits in Internet Explorer to infect victims with a custom implant as part of a strategic web compromise (SWC) targeting a South Korean online newspaper.
Cybersecurity firm Volexity attributed the watering hole attacks to a threat actor it tracks as InkySquid, and more widely known by the monikers ScarCruft and APT37. Daily NK, the publication in question, is said to have hosted the malicious code from at least late March 2021 until early June 2021.
The "clever disguise of exploit code amongst legitimate code" and the use of custom malware enables the attackers to avoid detection, Volexity researchers said.
- CVE-2020-1380 (CVSS score: 7.5) - Scripting Engine Memory Corruption Vulnerability
- CVE-2021-26411 (CVSS score: 8.8) - Internet Explorer Memory Corruption Vulnerability
It's worth noting that both the flaws have been actively exploited in the wild, with the latter put to use by North Korean hackers to compromise security researchers working on vulnerability research and development in a campaign that came to light earlier this January.
In a separate set of attacks disclosed last month, an unidentified threat actor was found exploiting the same flaw to deliver a fully-featured VBA-based remote access trojan (RAT) on compromised Windows systems.
Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.RESERVE YOUR SEAT
BLUELIGHT is used as a secondary payload following the successful delivery of Cobalt Strike, functioning as a full-featured remote access tool that provides complete access to a compromised system.
In addition to gathering system metadata and information about installed antivirus products, the malware is capable of executing shellcode, harvesting cookies and passwords from Internet Explorer, Microsoft Edge, and Google Chrome browsers, collecting files and downloading arbitrary executables, the results of which are exfiltrated to a remote server.
"While SWCs are not as popular as they once were, they continue to be a weapon in the arsenal of many attackers," the researchers noted. "The use of recently patched exploits for Internet Explorer and Microsoft Edge will only work against a limited audience."