A North Korean hacker group has been reported by cybersecurity experts to be utilizing web browser applications to manipulate and exploit them into delivering and deploying a certain custom malware to their victims’ websites. Behind this cyberattack is an eminent North Korean group around the cybercrime industry called the InkySquid. They are described as a threat group that has been practicing this attack, such as browser exploitation, since 2020.
Internet Explorer, one of the most well-known web browsers being used worldwide, has been a target of them since the beginning, as it is forced to download an obscured Javascript code that is veiled inside an authentic code.
Around April of 2021, security researchers have identified some loaded suspicious codes through a website called www.dailynk(dot)com towards the hostile subdomains of jquery[.]services. Listed below are two of the URLs found by the researchers:
hxxps://www.dailynk(dot)com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2
hxxps://www.dailynk(dot)com/wp-includes/js/jquery/jquery.min.js?ver=3.5.1
The codes involved in these reports have been eventually removed by the InkySquid hackers as soon as the operation was done and were said to be only enclosed in a short time.
Analysts have found it hard to describe the entire process of the said activity since it is also challenging to address and identify the hostile content and used subdirectory names and collected data.
The threat actors operated the subdirectory includes logo, theme, normal, background, and round. While the collected data they have managed to steal are usernames, computer name, Web IP address, OS version, Local Time, 32/64-bit implanted binary, Local IP of default interface, Process file name, Process SID authority level, an identifier of whether there are running VM tools, and a list of installed AV products.
Bluelight
The attackers were pushed to operate a different subdomain of jquery[.]services since they already have executed several attacks. Through this, they will be able to host a new malware family.
The “history” file that the researchers’ mention was an XOR-encoded (0xCF) copy of a custom malware family. Veloxity and the malware developer have both been assigned as Bluelight, wherein it is normally used as a secondary payload following a successful operation of Cobalt Strike. These strikes are used as the initial payload in usual operations and both cases of intrusion.
As of now, several experts and cybersecurity analysts have been consistently researching more about the attack and its detailed processes so that in the future, they will be able to easily mitigate it.
