Media organizations and high-profile specialists in North Korean affairs have been on the receiving finish of a brand new marketing campaign orchestrated by a risk actor often called ScarCruft in December 2023.
“ScarCruft has been experimenting with new an infection chains, together with using a technical risk analysis report as a decoy, probably concentrating on customers of risk intelligence like cybersecurity professionals,” SentinelOne researchers Aleksandar Milenkoski and Tom Hegel stated in a report shared with The Hacker Information.
The North Korea-linked adversary, additionally recognized by the identify APT37, InkySquid, RedEyes, Ricochet Chollima, and Ruby Sleet, is assessed to be a part of the Ministry of State Safety (MSS), putting it aside from Lazarus Group and Kimsuky, that are parts throughout the Reconnaissance Basic Bureau (RGB).
The group is recognized for its concentrating on of governments and defectors, leveraging spear-phishing lures to ship RokRAT and different backdoors with the last word purpose of covert intelligence gathering in pursuit of North Korea’s strategic pursuits.
In August 2023, ScarCruft was linked to an assault on Russian missile engineering firm NPO Mashinostroyeniya alongside Lazarus Group in what has been deemed as a “extremely fascinating strategic espionage mission” designed to learn its controversial missile program.
Earlier this week, North Korean state media reported that the nation had carried out a check of its “underwater nuclear weapons system” in response to drills by the U.S., South Korea, and Japan, describing the workouts as a risk to its nationwide safety.
The newest assault chain noticed by SentinelOne focused an professional in North Korean affairs by posing as a member of the North Korea Analysis Institute, urging the recipient to open a ZIP archive file containing presentation supplies.
Whereas seven of the 9 recordsdata within the archive are benign, two of them are malicious Home windows shortcut (LNK) recordsdata, mirroring a multi-stage an infection sequence beforehand disclosed by Test Level in Could 2023 to distribute the RokRAT backdoor.
There may be proof to recommend that a number of the people who have been focused round December 13, 2023, have been additionally beforehand singled out a month prior on November 16, 2023.
SentinelOne stated its investigation additionally uncovered malware – two LNK recordsdata (“inteligence.lnk” and “information.lnk”) in addition to shellcode variants delivering RokRAT – that is stated to be a part of the risk actor’s planning and testing processes.
Whereas the previous shortcut file simply opens the official Notepad software, the shellcode executed through information.lnk paves the best way for the deployment of RokRAT, though this an infection process is but to be noticed within the wild, indicating its probably use for future campaigns.
The event is an indication that the nation-state hacking crew is actively tweaking its modus operandi probably in an effort to avoid detection in response to public disclosure about its techniques and strategies.
“ScarCruft stays dedicated to buying strategic intelligence and probably intends to realize insights into private cyber risk intelligence and protection methods,” the researchers stated.
“This permits the adversary to realize a greater understanding of how the worldwide neighborhood perceives developments in North Korea, thereby contributing to North Korea’s decision-making processes.”
