North Korea's ScarCruft Attackers Gear Up to Target Cybersecurity Pros – North Korea's ScarCruft Attackers Gear Up to … – Dark Reading

Based on fresh infection routines the APT is testing, it’s looking to harvest threat intelligence in order to improve operational security and stealth.
January 22, 2024
ScarCruft, the North Korea-sponsored advanced persistent threat (APT) group, is gearing up for targeted attacks on cybersecurity researchers and other members of the threat intelligence community — likely in a bid to steal nonpublic threat intel and improve its operational playbook.
According to an analysis from SentinelLabs, ScarCruft (aka APT37, Inky Squid, RedEyes, and Reaper) spent November and December targeting media organizations and think-tank personnel that focus on North Korean affairs, in a series of fairly typical impersonation-style attacks that researchers expect to continue into 2024. However, while analyzing that campaign, SentinelLabs researchers came across new, in-development malware and some trial infection chains that suggest that a different type of offensive is in the offing.
This is not the first time that North Korean actors have targeted cybersecurity pros; but notably, the infection routine the attackers have been testing out is innovative in that it uses technical threat research on the North Korean APT known as Kimsuky as a lure.
The report is legit, published in October by Genians, a South Korean cybersecurity company — and calling out a fellow APT in such a way is a twist that appears to break new ground, according to Aleksandar Milenkoski, senior threat researcher at SentinelOne.
"To date, based on our visibility, we have not [previously] observed ScarCruft or any other suspected North Korean threat actor, using threat research materials related to another suspected threat actor in the region as decoys," he notes. "Kimsuky is another suspected North Korean threat group observed to share operational characteristics with ScarCruft, like infrastructure and command-and-control server configurations."
Based on the lure and other details spotted in the malware testing activities, "the adversary likely intends to target … cybersecurity professionals or businesses," Milenkoski explains. "We suspect ScarCruft has been planning phishing or social engineering campaigns on recent developments in the North Korean cyber-threat landscape, targeting audiences consuming threat intelligence reports."
As far as the end goal, the firm concluded that one aim is likely stealing such reports, which could reveal whether researchers are onto ScarCruft's latest tactics, techniques, and procedures (TTPs), thus "identifying potential threats to [the APT's] operations and contributing to refining their operational and evasive approaches."
A twin goal could be gaining access to cybersecurity environments to use as a launchpad for convincing impersonation attacks — i.e., "mimicking cybersecurity professionals and businesses to target specific customers and contacts directly, or more broadly through brand impersonation," according to the SentinelOne report.
ScarCruft has a long history of targeted attacks against South Korean individuals, as well as public and private entities, and acts as a cyber-espionage specialist for the Democratic People's Republic of Korea (DPRK).
"ScarCruft has been observed to share operational characteristics with Kimsuky, like infrastructure and command-and-control server configurations," Milenkoski says. "Current understanding of the group indicates they are primarily conducting intelligence collection, aligned with the efforts of the Ministry of State Security (MSS) and in support of North Korean strategic interests."
To that end, in the active campaign that was originally the focus of SentinelLabs' analysis, ScarCruft repeatedly targeted the same individuals with the goal of delivering RokRAT, a custom backdoor developed by the adversaries that allows a range of surveillance types on targeted entities.
RokRAT is also at the center of the wave of cybersecurity pro targeting that’s likely coming, according to the SentinelLabs report.
"While investigating ScarCruft activities, we retrieved malware that we assess to be part of ScarCruft's planning and testing processes,” the researchers said. "This includes a spectrum of shellcode variants delivering RokRAT, public tooling, and two oversized LNK files, named inteligence.lnk and news.lnk.”
Both malicious LNK malwares execute PowerShell code when opened, which in turn extracts the decoy Kimsuky PDF document (named “inteligence.pdf”), and fetches a hex-encoded file named story.txt from the cloud. The story.txt file benignly opens notepad.exe, indicating that inteligence.lnk has been developed for testing purposes, researchers explained.
On the other hand, "the shellcode executed by news.lnk is weaponized and deploys the RokRAT backdoor," according to the analysis. "It is likely that news.lnk is the fully developed version of inteligence.lnk, intended for use in future ScarCruft campaigns."
While the approach is similar to campaigns in the wild that researchers have previously analyzed, it’s clear that the group is fine-tuning and tinkering with its approaches.
"ScarCruft's malware testing activities reveals the adversary’s commitment to innovating its arsenal and expanding its target list," according to the SentinelLabs report on ScarCruft, released today. "We observed the group experimenting with new infection chains inspired by those they have used in the past. This involves modifying malicious code implementations and excluding certain files from the infection steps, likely as a strategy to evade detection based on filesystem artifacts and the known ScarCruft techniques that have been publicly disclosed by the threat intelligence community."
Milenkoski advises cybersecurity researchers, especially those involved in examining the Korean threat landscape, to stay frosty and be on the lookout for cleverly designed, convincing email attacks going forward.
"Cybersecurity professionals are typically more aware of warning signs than the general public, so the barrier is higher," he says. “Nevertheless, the general advice of maintaining vigilance against social engineering attempts and avoiding the opening of unknown attachments or clicking on unknown links unless they are from a trusted source still applies."

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

You May Also Like
Tips for Managing Cloud Security in a Hybrid Environment
Top Cloud Security Threats Targeting Enterprises
DevSecOps: The Smart Way to Shift Left
API Security: Protecting Your Application’s Attack Surface
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Passwords Are Passe: Next Gen Authentication Addresses Today’s Threats
The State of Supply Chain Threats
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Migrations Playbook for Saving Money with Snyk + AWS
Buyer’s Guide: Choosing a True DevSecOps Solution for Your Apps on AWS
2023 Software Supply Chain Attack Report
Increase Speed and Accuracy with AI Driven Static Analysis Auditing
The Need for a Software Bill of Materials
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.

source

Related Posts

After 6 months and little explanation, Norton Healthcare patients, employees still feeling effects of cyber attack – WDRB

Spotty shower possible. Storms after midnight Updated: April 16, 2024 @ 12:31 pmNorton Healthcare, a company serving about 600,000 patients a year with nearly $5 billion in assets, continues to…

Read more

CA's top cybersecurity job has been vacant for almost 2 years – CalMatters

Technology Californians get hacked all the time. The state’s top cybersecurity job is vacant In summaryGov. Newsom has yet to appoint a commander who is tasked with informing businesses and…

Read more

13 Cyber Security Measures Your Small Business Must Take – Tech.co

Our content is funded in part by commercial partnerships, at no extra cost to you and without impact to our editorial impartiality. Click to Learn MoreCybersecurity has been important to…

Read more

AVG Antivirus Free review – Ghacks

AVG AntiVirus Free is a longstanding security program for Microsoft Windows that protects computer systems from viruses, trojans and other malicious code.One interesting fact about AVG is that it maintains…

Read more

Vlog Episode #247: Chris Long on Improving Technical SEO Skills & Playing Offense SEO – Search Engine Roundtable

In part one, we learned about Chris Long and his experience working with Bill Slawski. Then, in part two, we spoke about helping people with SEO on LinkedIn and using…

Read more

Information Security Vs. Cybersecurity: What's The Difference? – Forbes

Information Security Vs. Cybersecurity: What’s The Difference?  Forbessource

Read more

Leave a Reply

Your email address will not be published. Required fields are marked *