Monday, December 23, 2024
HomeMalwareNorth Korean Hacker Group Uses Browser Exploits to Deliver a Custom Malware

North Korean Hacker Group Uses Browser Exploits to Deliver a Custom Malware

Published on

SIEM as a Service

The security experts of the cybersecurity firm, Volexity have recently reported an attack through which the North Korean Hacker Group using browser exploits to deploy the customer malware on the website.

It’s a very well-known North Korean hacker group that was behind this attack, not only this but they also have a limited number of victims utilizing exploits for vulnerabilities in a web browser to deliver custom malware.

The threat group behind this attack was called InkySquid, and they are using this exploit since 2020 in attacks against the Internet Explorer browser to download obfuscated Javascript code that is generally hidden inside the legitimate code.

- Advertisement - SIEM as a Service

SWC Activity

According to the security researchers, in April 2021 Volexity has recognized suspicious code that was loaded through www.dailynk[.]com to ill-disposed subdomains of jquery[.]services. 

There are two types of URLs that have been found, and that’s why we have mentioned them below:-

  • hxxps://www.dailynk[.]com/wp-includes/js/jquery/jquery.min.js?ver=3.5.1
  • hxxps://www.dailynk[.]com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2

The threat actors’ attacks have involved code that was only attached for a very short period of time, and soon after the operation, it was quickly removed. 

According to the report of the analysts, making a description of this activity is quite difficult as the ill-disposed content was hard to identify.

Security flaws

  • CVE-2020-1380 (CVSS score: 7.5) – Scripting Engine Memory Corruption Vulnerability

Initially, Volexity was able to recognize the malicious code, and the threat actor was seen using the CVE-2020-1380, an exploit for Internet Explorer.

  • CVE-2021-26411 (CVSS score: 8.8) – Internet Explorer Memory Corruption Vulnerability

This CVE was used, in another exploit that is targeting the Internet Explorer as well as the legacy versions of Microsoft Edge. However, the redirect code was fixed up in a similar way as it was placed in the CVE-2020-1380.

Subdirectory names used

Below we have mentioned the subdirectory names used by the hackers:-

  • logo
  • normal
  • background
  • theme
  • round

Data gathered

Here’s the list of data that were gathered by the threat actors:-

  • Username
  • Computer name
  • OS version
  • Web IP
  • Local IP of default interface
  • LocalTime
  • Whether the implant binary is 32 or 64 bit
  • Process SID authority level
  • Process filename
  • List of AV products installed
  • Whether the infected machine has VM tools running

BLUELIGHT

The threat actors have implemented many attacks, and that’s why they have used a different subdomain of jquery[.]services so that they can host a new and novel malware family.

The security researchers pronounced that the “history” file was an XOR-encoded (0xCF) copy of a custom malware family and both the malware developer as well as the Volexity assign to as BLUELIGHT. 

The BLUELIGHT is generally used as a secondary payload that normally follows the successful performance of the Cobalt Strike. However, these strikes were generally used as an initial payload in both cases of exploitation.

In BLUELIGHT’s operations, the threat actors generally used the Microsoft Graph API for Microsoft 365, Office, and other services. As per the report of Volexity, a North Korean threat group, named as ScarCruft or APT37, is also behind the InkySquid attacks. 

Moreover, the experts are trying their best to know all the key details of this attack, and how it has been initiated so that they will easily bypass this kind of attack in the future.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

New Watering Hole Attack That Used Fake Adobe Flash Player Update To Deliver Malware

Cybersecurity threats are increasingly targeting vulnerabilities in publicly exposed assets like VPNs and firewalls,...

North Korean Hackers Stolen $2.2 Billion from Crypto Platforms in 2024

North Korean hackers are estimated to have stolen a staggering $2.2 billion in 2024,...

17M Patient Records Stolen in Ransomware Attack on Three California Hospitals

A staggering 17 million patient records, containing sensitive personal and medical information, have been...

WhatsApp Wins NSO in Pegasus Spyware Hacking Lawsuit After 5 Years

After a prolonged legal battle stretching over five years, WhatsApp has triumphed over NSO...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

New Watering Hole Attack That Used Fake Adobe Flash Player Update To Deliver Malware

Cybersecurity threats are increasingly targeting vulnerabilities in publicly exposed assets like VPNs and firewalls,...

Threat Actors Selling Nunu Stealer On Hacker Forums

A new malware variant called Nunu Stealer is making headlines after being advertised on underground hacker...

Beware Of Malicious SharePoint Notifications That Delivers Xloader Malware

Through the use of XLoader and impersonating SharePoint notifications, researchers were able to identify...