Researchers uncovered a new browser-based attackers from the infamous North Korean APT Hackers groups targeting the victims with the different browser exploits names as “BLUELIGHT“.
InkySquid, a threat group based on North Korea and the groups broadly known as monikers ScarCruft and APT37 have recently attacked the South Korean website (www.dailynk[.]com) that is focused on North Korean issues.
Threat group using recently patched exploits for Internet Explorer and Microsoft Edge, but there are limited chances are there to compromise, but still attackers using some sophisticated and cleaver techniques to evade the detection.
During the Volexity security investigation, researchers found a Water hole attack(strategic web compromise (SWC) ) on the website of the Daily NK with Malicious code.
Attackers were used a different browser exploit with the SWC along with the payload, and they were attempts to inject code loads via www.dailynk[.]com to malicious subdomains ofjquery[.]services.
Exploited Used for This Attack
Threat actors behind this attack have used two different exploits based on the Internet Explorer and Microsoft Edge that trigger the CVE-2020-1380, CVE-2021-26411, memory corruption vulnerabilities.
By abusing this CVE-2020-1380 IE memory corruption vulnerability, attack added a single line of code to the following legitimate file on Daily NK.
One of the interesting fact that was uncovered is, the exploit code of the attack includes many of the strings are obfuscated within variables designed to look like legitimate SVG content.
On the other hand, attackers uses CVE-2021-26411, an another IE and Legacy version of Edge vulnerability that has been abused in this attack, the only major difference was the exploit code of the following image.
Parallelly, attackers using a different subdomain of jquery[.]services to host a new and novel malware family and actors using BLUELIGHT as a secondary payload after the successful deployment of the Cobalt Strike.
For communication, BLUELIGHT malware employed different cloud providers to facilitate C2, also it performs an oauth2 token authentication using hard-coded parameters.
Also attackers using several other technique to avoid detection as follows:-
- Clever disguise of exploit code amongst legitimate code, making it harder to identify
- Only allowing exploitable user-agents access to the exploit code, making it difficult to identify at scale (such as through automated scanning of websites)
- Use of innovative custom malware, such as BLUELIGHT, after successful exploitation using C2 mechanisms which are unlikely to be detected by many solutions