Researchers from Volexity recently investigated a Strategic Web Compromise of the Daily NK website by InkySquid. The targeted site is an online newspaper based in South Korea that posts news related to North Korea. The investigation revealed different exploits and a payload named BlueLight.

A malicious script was observed on the Daily NK website between late March and early June. The activity was associated with a threat actor known as InkySquid (APT37).

  • Researchers spotted suspicious code that was loaded via dailynk[.]com to malicious subdomains of jquery[.]services. 
  • Multiple URLs were used to load malicious code. These URLs were pointed at legit files used as part of the usual function of the Daily NK website.
  • The malicious code was redirecting users to load JavaScript from a domain controlled by attackers.
  • The malicious code is removed to make the identification of this malicious activity challenging for researchers.

Exploited vulnerabilities and BlueLight malware

The attacker was abusing CVE-2020-1380, a flaw in Internet Explorer (IE). The attacker had added a single line of code to a valid file on the Daily NK website, which would load malicious Javascript code for visitors using IE.

A flaw (CVE-2021-26411) in IE and older versions of Microsoft Edge was abused. It had used the same redirect code used in CVE-2020-1380 with the only difference being the exploit code.

In another instance, the attacker had used a subdomain (identified as jquery[.]services) to host a new malware family. The malware was referred to as BlueLight by Volexity researchers, delivered via Cobalt Strike.

Final Thoughts

SWC attacks are not that common anymore, however, adversaries such as InkySquid are still using them. The group is abusing old vulnerabilities in IE and Microsoft Edge and using legitimate-looking code. These may be attempts to dodge security radars, indicating that InkySquid has a good experience and understanding of such attack techniques.