Quote:The InkySquid advanced persistent threat (APT) group, which researchers have linked to the North Korean government, was caught launching watering hole attacks against a South Korean newspaper using known Internet Explorer vulnerabilities.
New analysis from Volexity reported its team of researchers noticed suspicious code being loaded on the Daily NK site, a news outlet focused on North Korea, starting in April. And although the links led to real files, malicious code was being inserted for brief periods, making it difficult to detect. The researchers suspected the attack was ongoing between March and June.
“When requested, with the correct Internet Explorer user-agent, this host would serve additional obfuscated JavaScript code,” Volexity’s team reported. “As with the initial redirect, the attacker chose to bury their malicious code amongst legitimate code. In this case, the attacker used the ‘bPopUp’ JavaScript library alongside their own code.”
The researchers added that since the code is largely legitimate, it would likely evade both manual and automated detection. The code, which the attackers camouflage around real content, is consistent with Internet Explorer bug CVE-2020-1380, the report said.
Another similar attack from the InkySquid group (aka APT37, Reaper or ScarCruft) leveraged CVE-2021-26411 to attack Internet Explorer as well as legacy versions of Microsoft Edge, according to Volexity.
“As with the CVE-2020-1380 example, the attacker made use of encoded content stored in SVG tags to store both key strings and their initial payload,” the researchers explained. “The initial command-and-control (C2) URLs were the same as those observed in the CVE-2020-1380 case.”
Read more: InkySquid State Actor Exploiting Known IE Bugs
![[-]](https://www.geeks.fyi/images/collapse.png)
