InkySquid North Korean APT Exploits IE Bugs

A team of researchers working with security firm Volexity spotted a watering-hole attack conducted by a threat actor known as InkySquid. The handle InkySquid belongs to an advanced persistent threat actor or APT, which is believed to operate out of North Korea and have state backing.

The watering-hole attack conducted by InkySquid, also known as APT37, was aimed at a publication based in South Korea, dealing with news and stories related to North Korea. The victim is called Daily NK.

A watering-hole attack is the term used in infosec for a special type of attack vector. In a watering hole attack, the threat actors inject malware into a website that is commonly used by representatives of the intended target of the attack. When people working for the target organization visit the website, their personal systems contract the infection and then give the hackers the ability to further infiltrate their network.

The attacks abuse a known vulnerability in old versions of Internet Explorer. The vulnerability's designation is CVE-2020-1380 and it only affects older versions of Internet Explorer, which has now been in large part replaced with installations of Microsoft's Edge browser.

The watering-hole attack is carried out using malicious code, buried deep inside the legitimate code that the site runs. According to the Volexity researchers, this makes it very difficult to detect the malware, for both automated scanners and manual detection.

The InkySquid hackers used a JavaScript library as well as their own malicious code to inject the site with malware. The initial payload is hidden inside encoded strings, stored in the tags of SVG vector files. The command and control infrastructure used by InkySquid in this attack relies entirely on cloud services.

The Bluelight malware family that represents the final payload, custom-made by InkySquid, uses both Microsoft and Google cloud services and apps as its command and control points.

Once the malware is deployed, it can collect and exfiltrate information from the victim system, including IP address, any VM machines found running, OS version among others.

The attack is aimed against depreciated versions of Microsoft's IE browser, so it is not as dangerous as it might seem at first glance, but the fact that the malicious code was hidden so well among the watering hole site's legitimate code shows that the hackers behind the campaign have considerable skill.

Computer Users Beware! APT37 Threat Group Creates Dangerous M2RAT Malware

By Zaib
August 24, 2021
Computer Security
English
August 24, 2021
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Advanced Persistent Threat (APT)

Gelsemium APT

Gelsemium is an Advanced Persistent Threat (APT) group whose campaigns can be traced back to 2014. The criminals use a wide range of malware, including a custom-built implant called Gelsevirine. They have been behind... Read more

June 10, 2021
Advanced Persistent Threat (APT)

Wizard Spider APT Hacker Group Proliferates Ransomware Attacks

Wizard Spider is a group of cybercrooks, or an advanced persistent threat (APT) group that has been on the radar of law enforcement for some time. Among law enforcement seeking the malicious activities of Wizard... Read more

May 28, 2021
Advanced Persistent Threat (APT)

LuminousMoth APT Goes after Targets in the Philippines and Myanmar

Cybersecurity experts have been tracking a new malware campaign, which targets users in Asia. So far, the criminals behind this operation have been relying on spearphishing emails exclusively. Their campaign has... Read more

July 15, 2021
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.