In a recent blog post, Volexity disclosed details on a portion of the operations by a North Korean threat actor it tracks as InkySquid. This threat actor compromised a news portal to use recently patched browser exploits to deliver a custom malware family known as BLUELIGHT. This follow-up post describes findings from a recent investigation undertaken by Volexity in which the BLUELIGHT malware was discovered being delivered to a victim alongside RokRAT (aka DOGCALL). RokRAT is a backdoor previously attributed to use by ScarCruft/APT37, which is also known as InkySquid. It should be noted that Volexity identified some overlap between the findings discussed in this post and this Korean-language article. Analysis Volexity is often asked to analyze systems of users frequently targeted by state-sponsored threat actors based on some tip-off or concern that the systems may be compromised. In this case, it was a system belonging to an individual who is […]
InkySquid
-
North Korean BLUELIGHT Special: InkySquid Deploys RokRAT
August 24, 2021
by Damien Cash, Josh Grunzweig, Steven Adair, Tom Lancaster
-
North Korean APT InkySquid Infects Victims Using Browser Exploits
August 17, 2021
by Damien Cash, Josh Grunzweig, Matthew Meltzer, Steven Adair, Tom Lancaster
Volexity recently investigated a strategic web compromise (SWC) of the website of the Daily NK (www.dailynk[.]com), a South Korean online newspaper that focuses on issues relating to North Korea. Malicious code on the Daily NK website was observed from at least late March 2021 until early June 2021. This post provides details on the different exploits used in the SWC, as well as the payload used, which Volexity calls BLUELIGHT. Volexity attributes the activity described in this post to a threat actor Volexity refers to as InkySquid, which broadly corresponds to activity known publicly under the monikers ScarCruft and APT37. SWC Activity In April 2021, through its network security monitoring on a customer network, Volexity identified suspicious code being loaded via www.dailynk[.]com to malicious subdomains of jquery[.]services. Examples of URLs observed loading malicious code include the following: hxxps://www.dailynk[.]com/wp-includes/js/jquery/jquery.min.js?ver=3.5.1 hxxps://www.dailynk[.]com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2 These URLs lead to legitimate files used as part of the […]