Researchers from Volexity recently investigated a Strategic Web Compromise of the Daily NK website by InkySquid. The targeted site is an online newspaper based in South Korea that posts news related to North Korea. The investigation revealed different exploits and a payload named BlueLight.
A malicious script was observed on the Daily NK website between late March and early June. The activity was associated with a threat actor known as InkySquid (APT37).
- Researchers spotted suspicious code that was loaded via dailynk[.]com to malicious subdomains of jquery[.]services.
- Multiple URLs were used to load malicious code. These URLs were pointed at legit files used as part of the usual function of the Daily NK website.
- The malicious code is removed to make the identification of this malicious activity challenging for researchers.
Exploited vulnerabilities and BlueLight malware
A flaw (CVE-2021-26411) in IE and older versions of Microsoft Edge was abused. It had used the same redirect code used in CVE-2020-1380 with the only difference being the exploit code.
In another instance, the attacker had used a subdomain (identified as jquery[.]services) to host a new malware family. The malware was referred to as BlueLight by Volexity researchers, delivered via Cobalt Strike.
SWC attacks are not that common anymore, however, adversaries such as InkySquid are still using them. The group is abusing old vulnerabilities in IE and Microsoft Edge and using legitimate-looking code. These may be attempts to dodge security radars, indicating that InkySquid has a good experience and understanding of such attack techniques.