Media organizations and high-profile specialists in North Korean affairs have been on the receiving finish of a brand new marketing campaign orchestrated by a menace actor often called ScarCruft in December 2023.
“ScarCruft has been experimenting with new an infection chains, together with using a technical menace analysis report as a decoy, seemingly concentrating on customers of menace intelligence like cybersecurity professionals,” SentinelOne researchers Aleksandar Milenkoski and Tom Hegel stated in a report shared with The Hacker Information.
The North Korea-linked adversary, additionally recognized by the identify APT37, InkySquid, RedEyes, Ricochet Chollima, and Ruby Sleet, is assessed to be a part of the Ministry of State Safety (MSS), inserting it other than Lazarus Group and Kimsuky, that are components throughout the Reconnaissance Basic Bureau (RGB).
The group is recognized for its concentrating on of governments and defectors, leveraging spear-phishing lures to ship RokRAT and different backdoors with the last word purpose of covert intelligence gathering in pursuit of North Korea’s strategic pursuits.
In August 2023, ScarCruft was linked to an assault on Russian missile engineering firm NPO Mashinostroyeniya alongside Lazarus Group in what has been deemed as a “extremely fascinating strategic espionage mission” designed to profit its controversial missile program.
Earlier this week, North Korean state media reported that the nation had carried out a take a look at of its “underwater nuclear weapons system” in response to drills by the U.S., South Korea, and Japan, describing the workouts as a menace to its nationwide safety.
The most recent assault chain noticed by SentinelOne focused an professional in North Korean affairs by posing as a member of the North Korea Analysis Institute, urging the recipient to open a ZIP archive file containing presentation supplies.
Whereas seven of the 9 recordsdata within the archive are benign, two of them are malicious Home windows shortcut (LNK) recordsdata, mirroring a multi-stage an infection sequence beforehand disclosed by Verify Level in Might 2023 to distribute the RokRAT backdoor.
There may be proof to counsel that a number of the people who have been focused round December 13, 2023, have been additionally beforehand singled out a month prior on November 16, 2023.
SentinelOne stated its investigation additionally uncovered malware – two LNK recordsdata (“inteligence.lnk” and “information.lnk”) in addition to shellcode variants delivering RokRAT – that is stated to be a part of the menace actor’s planning and testing processes.
Whereas the previous shortcut file simply opens the legit Notepad software, the shellcode executed by way of information.lnk paves the best way for the deployment of RokRAT, though this an infection process is but to be noticed within the wild, indicating its seemingly use for future campaigns.
The event is an indication that the nation-state hacking crew is actively tweaking its modus operandi seemingly in an effort to bypass detection in response to public disclosure about its ways and strategies.
“ScarCruft stays dedicated to buying strategic intelligence and probably intends to realize insights into private cyber menace intelligence and protection methods,” the researchers stated.
“This allows the adversary to realize a greater understanding of how the worldwide group perceives developments in North Korea, thereby contributing to North Korea’s decision-making processes.”
