North Korean hackers use browser exploits to drop malware

Security researchers have logged attacks from a known North Korean hacking group, targeting a limited number of victims with web browser exploits to drop a novel malware family onto computers.

The attackers, which security vendor Volexity named InkySquid, were able to use a strategic web compromise of a South Korean online new site, to inject malicious code on it.

An exploit from 2020 was used against visitors with MIcrosoft's Internet Explorer browser to load obfuscated Javascript code, which was hidden inside legitimate code.

Microsoft's legacy, first-generation Edge browser was also targeted in a similar fashion to above with a more recent recent exploit, which also worked with Internet Explorer.

In both cases, the Javascript was decrypted into a stager version of the Cobalt Strike penetration testing tool, followed by a secondary payload that Volexity has named BLUELIGHT.

BLUELIGHT is a new reconnaisance and information stealing malware family that the hackers had set up to use different cloud providers for command and control.

In the Korean attacks, Volexity found that Microsoft Graph application programming interface for Microsoft 365, Office and other services was used for BLUELIGHT operations.

Volexity attributed the InkySquid attacks to the InkySquid North Korean advanced persistent threat group which is also known as ScarCruft or APT37.

The hacking group has been active since 2012, targeting enterprises mainly in South Korea but also in other Asian countries and the Middle East.