InkySquid North Korean APT Exploits IE Bugs
A team of researchers working with security firm Volexity spotted a watering-hole attack conducted by a threat actor known as InkySquid. The handle InkySquid belongs to an advanced persistent threat actor or APT, which is believed to operate out of North Korea and have state backing.
The watering-hole attack conducted by InkySquid, also known as APT37, was aimed at a publication based in South Korea, dealing with news and stories related to North Korea. The victim is called Daily NK.
A watering-hole attack is the term used in infosec for a special type of attack vector. In a watering hole attack, the threat actors inject malware into a website that is commonly used by representatives of the intended target of the attack. When people working for the target organization visit the website, their personal systems contract the infection and then give the hackers the ability to further infiltrate their network.
The attacks abuse a known vulnerability in old versions of Internet Explorer. The vulnerability's designation is CVE-2020-1380 and it only affects older versions of Internet Explorer, which has now been in large part replaced with installations of Microsoft's Edge browser.
The watering-hole attack is carried out using malicious code, buried deep inside the legitimate code that the site runs. According to the Volexity researchers, this makes it very difficult to detect the malware, for both automated scanners and manual detection.
The InkySquid hackers used a JavaScript library as well as their own malicious code to inject the site with malware. The initial payload is hidden inside encoded strings, stored in the tags of SVG vector files. The command and control infrastructure used by InkySquid in this attack relies entirely on cloud services.
The Bluelight malware family that represents the final payload, custom-made by InkySquid, uses both Microsoft and Google cloud services and apps as its command and control points.
Once the malware is deployed, it can collect and exfiltrate information from the victim system, including IP address, any VM machines found running, OS version among others.
The attack is aimed against depreciated versions of Microsoft's IE browser, so it is not as dangerous as it might seem at first glance, but the fact that the malicious code was hidden so well among the watering hole site's legitimate code shows that the hackers behind the campaign have considerable skill.