North Korean APT Hackers Attack Victims Using MS IE & Edge Browser Exploits

Researchers uncovered a new browser-based attackers from the infamous North Korean APT Hackers groups targeting the victims with the different browser exploits names as “BLUELIGHT“.

InkySquid, a threat group based on North Korea and the groups broadly known as monikers ScarCruft and APT37 have recently attacked the South Korean website (www.dailynk[.]com) that is focused on North Korean issues.


Threat group using recently patched exploits for Internet Explorer and Microsoft Edge, but there are limited chances are there to compromise, but still attackers using some sophisticated and cleaver techniques to evade the detection.

During the Volexity security investigation, researchers found a Water hole attack(strategic web compromise (SWC) ) on the website of the Daily NK with Malicious code.

Attackers were used a different browser exploit with the SWC along with the payload, and they were attempts to inject code loads via www.dailynk[.]com to malicious subdomains of jquery[.]services.

When researchers dive deep into the URL that was found during the investigation, it leads to the legitimate files with the normal function of the website, but the content was modified that leads the users to load a malicious Javascript from the jquery[.]services which owned by the attack.

Exploited Used for This Attack

Threat actors behind this attack have used two different exploits based on the Internet Explorer and Microsoft Edge that trigger the CVE-2020-1380CVE-2021-26411, memory corruption vulnerabilities.

By abusing this CVE-2020-1380 IE memory corruption vulnerability, attack added a single line of code to the following legitimate file on Daily NK.


Once it will be successfully added, attackers inject a line of obfuscated code added to DailyNK that will operate to load additional JavaScript code if a user visited Daily NK using Internet Explorer.

According to the volexity report, With the correct Internet Explorer User-Agent, this host would serve additional obfuscated JavaScript code. As with the initial redirect, the attacker chose to bury their malicious code amongst legitimate code.”

Implementation of CVE-2020-1380

One of the interesting fact that was uncovered is, the exploit code of the attack includes many of the strings are obfuscated within variables designed to look like legitimate SVG content.

After the successful exploitation, a final SVG variable will be decrypted with the help of JavaScript, and the resulting blob contains the Cobalt Strike stager’s hex-encoded and also downloads the additional shell code.

On the other hand, attackers uses CVE-2021-26411, an another IE and Legacy version of Edge vulnerability that has been abused in this attack, the only major difference was the exploit code of the following image.

Parallelly, attackers using a different subdomain of jquery[.]services to host a new and novel malware family and actors using BLUELIGHT as a secondary payload after the successful deployment of the Cobalt Strike.

For communication, BLUELIGHT malware employed different cloud providers to facilitate C2, also it performs an oauth2 token authentication using hard-coded parameters.

Also attackers using several other technique to avoid detection as follows:-

  • Clever disguise of exploit code amongst legitimate code, making it harder to identify
  • Only allowing exploitable user-agents access to the exploit code, making it difficult to identify at scale (such as through automated scanning of websites)
  • Use of innovative custom malware, such as BLUELIGHT, after successful exploitation using C2 mechanisms which are unlikely to be detected by many solutions

You can obtain the Related IoCs and signatures in GitHub page here documented by Volexity.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.