InkySquid Threat Actor Abusing Internet Explorer Vulnerabilities

Security researchers have spotted a new threat campaign, seemingly run by what is believed to be a state-sponsored North Korean threat actor known as APT37 or InkySquid. The campaign is targeting a South Korean newspaper using what infosec calls a 'watering hole attack'.

Watering hole attacks are based on observation or good guesswork. Threat actors either trace or make an educated guess about a website or online service that is commonly used by a company's employees and then infects the target website with malware. Upon visiting the site like they usually do, the victim's employees eventually get infected with the malware.

The research into this particular attack was conducted by a team working with security firm Volexity. The team spotted the appearance of suspicious code loaded into the website of Daily NK - a South Korean news site, dealing primarily with news pertaining to the country's northern neighbor.

The attack was carried out using malicious JavaScript code, hidden among regular, legitimate code on the site. The researchers found out the InkySquid team used bPopUp - a JavaScript library, together with their custom malicious code.

The malicious code was very well camouflaged between snippets of regular website code and researchers believe it would easily dodge both automated and manual detection. The Internet Explorer vulnerability that the attack abuses is codified as CVE-2020-1380.

When it comes to the specifics of the attack, the InkySquid group used encoded strings that were kept in SVG vector graphics file tags.

The same threat actor has also developed a new family of malware that researchers dubbed Bluelight. In those attacks, Bluelight acts as a second stage payload, with the primary payload stored in the SVG tag strings.

The malware's command and control infrastructure relies on cloud services, including Microsoft Graph API and Google Drive.

Thankfully, with Internet Explorer now largely replaced by Edge for those who want to stick with their Windows system's built-in browser, the attack will not work on a huge number of victims. Despite that, researchers noted that the malicious code was particularly well-hidden on the site used as the watering hole, which makes similar attacks very difficult to spot.

InkySquid Threat Actor Abusing Internet Explorer Vulnerabilities Video

Tip: Turn your sound ON and watch the video in Full Screen mode.