Based on fresh infection routines the APT is testing, it’s looking to harvest threat intelligence in order to improve operational security and stealth.
January 22, 2024
ScarCruft, the North Korea-sponsored advanced persistent threat (APT) group, is gearing up for targeted attacks on cybersecurity researchers and other members of the threat intelligence community — likely in a bid to steal nonpublic threat intel and improve its operational playbook.
According to an analysis from SentinelLabs, ScarCruft (aka APT37, Inky Squid, RedEyes, and Reaper) spent November and December targeting media organizations and think-tank personnel that focus on North Korean affairs, in a series of fairly typical impersonation-style attacks that researchers expect to continue into 2024. However, while analyzing that campaign, SentinelLabs researchers came across new, in-development malware and some trial infection chains that suggest that a different type of offensive is in the offing.
This is not the first time that North Korean actors have targeted cybersecurity pros; but notably, the infection routine the attackers have been testing out is innovative in that it uses technical threat research on the North Korean APT known as Kimsuky as a lure.
The report is legit, published in October by Genians, a South Korean cybersecurity company — and calling out a fellow APT in such a way is a twist that appears to break new ground, according to Aleksandar Milenkoski, senior threat researcher at SentinelOne.
"To date, based on our visibility, we have not [previously] observed ScarCruft or any other suspected North Korean threat actor, using threat research materials related to another suspected threat actor in the region as decoys," he notes. "Kimsuky is another suspected North Korean threat group observed to share operational characteristics with ScarCruft, like infrastructure and command-and-control server configurations."
Based on the lure and other details spotted in the malware testing activities, "the adversary likely intends to target … cybersecurity professionals or businesses," Milenkoski explains. "We suspect ScarCruft has been planning phishing or social engineering campaigns on recent developments in the North Korean cyber-threat landscape, targeting audiences consuming threat intelligence reports."
As far as the end goal, the firm concluded that one aim is likely stealing such reports, which could reveal whether researchers are onto ScarCruft's latest tactics, techniques, and procedures (TTPs), thus "identifying potential threats to [the APT's] operations and contributing to refining their operational and evasive approaches."
A twin goal could be gaining access to cybersecurity environments to use as a launchpad for convincing impersonation attacks — i.e., "mimicking cybersecurity professionals and businesses to target specific customers and contacts directly, or more broadly through brand impersonation," according to the SentinelOne report.
ScarCruft has a long history of targeted attacks against South Korean individuals, as well as public and private entities, and acts as a cyber-espionage specialist for the Democratic People's Republic of Korea (DPRK).
"ScarCruft has been observed to share operational characteristics with Kimsuky, like infrastructure and command-and-control server configurations," Milenkoski says. "Current understanding of the group indicates they are primarily conducting intelligence collection, aligned with the efforts of the Ministry of State Security (MSS) and in support of North Korean strategic interests."
To that end, in the active campaign that was originally the focus of SentinelLabs' analysis, ScarCruft repeatedly targeted the same individuals with the goal of delivering RokRAT, a custom backdoor developed by the adversaries that allows a range of surveillance types on targeted entities.
RokRAT is also at the center of the wave of cybersecurity pro targeting that’s likely coming, according to the SentinelLabs report.
"While investigating ScarCruft activities, we retrieved malware that we assess to be part of ScarCruft's planning and testing processes,” the researchers said. "This includes a spectrum of shellcode variants delivering RokRAT, public tooling, and two oversized LNK files, named inteligence.lnk and news.lnk.”
Both malicious LNK malwares execute PowerShell code when opened, which in turn extracts the decoy Kimsuky PDF document (named “inteligence.pdf”), and fetches a hex-encoded file named story.txt from the cloud. The story.txt file benignly opens notepad.exe, indicating that inteligence.lnk has been developed for testing purposes, researchers explained.
On the other hand, "the shellcode executed by news.lnk is weaponized and deploys the RokRAT backdoor," according to the analysis. "It is likely that news.lnk is the fully developed version of inteligence.lnk, intended for use in future ScarCruft campaigns."
While the approach is similar to campaigns in the wild that researchers have previously analyzed, it’s clear that the group is fine-tuning and tinkering with its approaches.
"ScarCruft's malware testing activities reveals the adversary’s commitment to innovating its arsenal and expanding its target list," according to the SentinelLabs report on ScarCruft, released today. "We observed the group experimenting with new infection chains inspired by those they have used in the past. This involves modifying malicious code implementations and excluding certain files from the infection steps, likely as a strategy to evade detection based on filesystem artifacts and the known ScarCruft techniques that have been publicly disclosed by the threat intelligence community."
Milenkoski advises cybersecurity researchers, especially those involved in examining the Korean threat landscape, to stay frosty and be on the lookout for cleverly designed, convincing email attacks going forward.
"Cybersecurity professionals are typically more aware of warning signs than the general public, so the barrier is higher," he says. “Nevertheless, the general advice of maintaining vigilance against social engineering attempts and avoiding the opening of unknown attachments or clicking on unknown links unless they are from a trusted source still applies."
Tara Seals, Managing Editor, News, Dark Reading
Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.
You May Also Like
Tips for Managing Cloud Security in a Hybrid Environment
Top Cloud Security Threats Targeting Enterprises
DevSecOps: The Smart Way to Shift Left
API Security: Protecting Your Application’s Attack Surface
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Passwords Are Passe: Next Gen Authentication Addresses Today’s Threats
The State of Supply Chain Threats
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Migrations Playbook for Saving Money with Snyk + AWS
Buyer’s Guide: Choosing a True DevSecOps Solution for Your Apps on AWS
2023 Software Supply Chain Attack Report
Increase Speed and Accuracy with AI Driven Static Analysis Auditing
The Need for a Software Bill of Materials
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.
