Cyber Incident Victim: ENKI
Date:
Jan 2021
Location:
South Korea
Summary
A North Korean state-sponsored hacking group known as Lazarus targeted security researchers through social engineering, posing as collaborators to deliver malicious files. The attackers sent MHTML files, including one disguised as a Chrome exploit, which exploited an Internet Explorer zero-day vulnerability when opened, leveraging a double-free bug in IE 11 to execute malicious JavaScript. This enabled unauthorized data collection—including system processes, screen captures, and network information—and facilitated further payload execution from command-and-control servers. A South Korean cybersecurity firm analyzed the attack after being targeted, confirming the exploit's failure and reporting the vulnerability to Microsoft.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early 2021, the North Korean state-sponsored hacking group Lazarus conducted a targeted campaign against security researchers, as initially disclosed by Google in January. The attackers created fake online personas posing as fellow researchers to establish contact with prominent individuals in the cybersecurity community through social media platforms. Under the guise of collaboration on vulnerability research and exploit development, Lazarus operatives distributed malicious Visual Studio Project files and shared links to compromised websites hosting exploit kits. These attack vectors deployed backdoors on victims' systems upon execution. Microsoft corroborated these findings, reporting that Lazarus had additionally sent malicious MHTML (MHT) files to researchers. These archive files, designed to open automatically in Internet Explorer, contained JavaScript payloads. At the time of Microsoft's initial investigation, the command-and-control (C2) infrastructure associated with these attacks was inactive, preventing further analysis of subsequent payload stages.
South Korean cybersecurity firm ENKI became a specific target of this campaign around February 2021, when their researchers received an MHTML file named "Chrome_85_RCE_Full_Exploit_Code.mht." Though the attack against ENKI ultimately failed, their analysis revealed novel technical details. The MHTML file exploited a previously unknown double-free vulnerability in Internet Explorer 11 (CVE-2021-26411), enabling arbitrary code execution when victims allowed script content to run. Upon successful exploitation, the payload executed reconnaissance activities including process enumeration, screen capture collection, and network information harvesting, which were exfiltrated to Lazarus-controlled C2 servers. The malware then attempted to retrieve and execute additional malicious modules from these servers. ENKI reported the zero-day vulnerability to Microsoft, prompting direct engagement between the organizations. Microsoft acknowledged receipt of the report and initiated an investigation, though no immediate patch or public advisory was issued at the time of ENKI's disclosure to BleepingComputer. The incident demonstrated Lazarus' continued focus on compromising specialized technical targets through multi-layered social engineering and zero-day exploitation.