The InkySquid advanced persistent threat (APT) group, which researchers have linked to the North Korean government, was caught launching watering hole attacks against a South Korean newspaper using known Internet Explorer vulnerabilities.
New analysis from Volexity reported its team of researchers noticed suspicious code being loaded on the Daily NK site, a news outlet focused on North Korea, starting in April. And although the links led to real files, malicious code was being inserted for brief periods, making it difficult to detect. The researchers suspected the attack was ongoing between March and June.
“When requested, with the correct Internet Explorer user-agent, this host would serve additional obfuscated JavaScript code,” Volexity’s team reported. “As with the initial redirect, the attacker chose to bury their malicious code amongst legitimate code. In this case, the attacker used the ‘bPopUp’ JavaScript library alongside their own code.”
The researchers added that since the code is largely legitimate, it would likely evade both manual and automated detection. The code, which the attackers camouflage around real content, is consistent with Internet Explorer bug CVE-2020-1380, the report said.
Another similar attack from the InkySquid group (aka APT37, Reaper or ScarCruft) leveraged CVE-2021-26411 to attack Internet Explorer as well as legacy versions of Microsoft Edge, according to Volexity.
“As with the CVE-2020-1380 example, the attacker made use of encoded content stored in SVG tags to store both key strings and their initial payload,” the researchers explained. “The initial command-and-control (C2) URLs were the same as those observed in the CVE-2020-1380 case.”
InkySquid’s Bluelight Malware
The group has also developed a new malware family that the report calls “Bluelight” — a name that was chosen because the word “bluelight” was used in the malware’s program database (PDB) code.
Cobalt Strike was used to initiate all three of these attacks, the report said. Bluelight appears to be delivered as a secondary payload.
“The Bluelight malware family uses different cloud providers to facilitate C2,” the report said. “This specific sample leveraged the Microsoft Graph API for its C2 operations. Upon start-up, Bluelight performs an OAuth2 token authentication using hard-coded parameters.”
After authentication, the malware creates a folder in the OneDrive subdirectory, which is controlled by a C2 server, Volexity observed, with innocuous-sounding names like “logo,” “normal,” background,” “theme” and “round.”
Then it sets about exfiltrating data, including username, IP addresses, running VM tools on the machine, OS version and more, formatted as a JSON (JavaScript Object Notation), the team explained.
“The main C2 loop starts after the initial upload of the reconnaissance data, iterating once every approximately 30 seconds,” the report said. “For the first five minutes, each iteration will capture a screenshot of the display and upload it to the ‘normal’ subdirectory with an encoded timestamp as the filename. After the first five minutes, the screenshot uploads once every five minutes.”
While leveraging known IE bugs won’t work on a wide swath of targets, once a system is infected detection is difficult thanks to the use of legit code as cover.
“While strategic web compromises (SWCs) are not as popular as they once were, they continue to be a weapon in the arsenal of many attackers,” the report said.