Experts from cybersecurity firm Volexity reported that North Korea-linked InkySquid group (aka ScarCruft, APT37, Group123, and Reaper) leverages two Internet Explorer exploits to deliver a custom backdoor in watering hole attacks aimed at the Daily NK South Korean online newspaper (www.dailynk[.]com).
APT37 has been active since at least 2012, it mainly targeted government, defense, military, and media organizations in South Korea.
The watering hole attacks on the Daily NK was conducted from March 2021 until early June 2021.
“The use of recently patched exploits for Internet Explorer and Microsoft Edge will only work against a limited audience.” reads the post published by Volexity. “Attackers will still have some success, however, and have a good chance of avoiding detection based on the following attributes of their attack:
The researchers discovered a suspicious code that was loaded via www.dailynk[.]com to malicious subdomains of jquery[.]services. Below some examples of URLs used to load malicious code:
CVE-2020-1380 is a Scripting Engine Memory Corruption Vulnerability that received a CVSS score of 7.5, while the CVE-2021-26411 was an Internet Explorer Memory Corruption vulnerability that received a CVSS score of 8.8.
Both vulnerabilities have been actively exploited in the wild by threat actors and the CVE-2021-26411 was already exploited by North Korean APT groups in attacks aimed at security researchers working on vulnerability research in January.
According to the experts, BLUELIGHT is used as a second-stage payload after the successful delivery of the initial Cobalt Strike payload.
BLUELIGHT was used to gather intelligence on the infected system and to provide remote access to the attackers, it supports the following commands:
“While SWCs are not as popular as they once were, they continue to be a weapon in the arsenal of many attackers. The use of recently patched exploits for Internet Explorer and Microsoft Edge will only work against a limited audience. Attackers will still have some success, however, and have a good chance of avoiding detection base” concludes the experts.
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, InkySquid)