A bug in Internet Explorer is being exploited by InkySquid — an advanced persistent threat group with ties to North Korea — to launch watering hole attacks. This tactic is consistent with a memory corruption vulnerability that was patched about one year ago.
The bug allowed malicious JavaScript code to be hidden among legitimate code, helping attackers to hide it from both automated and manual review. Encoded content stored within SVG image tags made the malicious code appear to simply be a piece of an image.
InkySquid deploys their Bluelight malware as a secondary payload, which creates a folder in the OneDrive directory with innocent-sounding filenames, including words like "background," "logo," and "theme." The malware then exfiltrates sensitive data, including usernames, IP addresses, and operating system versions.
It's not uncommon for threat actors to utilize old vulnerabilities in their attacks, making it all the more important to keep your software updated with the latest patches. Acronis Cyber Protect Cloud includes simple patch management capabilities that enable you to update all protected systems from a single web console with just the click of a button.