Media organizations and high-profile specialists in North Korean affairs have been on the receiving finish of a brand new marketing campaign orchestrated by a menace actor often known as ScarCruft in December 2023.
“ScarCruft has been experimenting with new an infection chains, together with the usage of a technical menace analysis report as a decoy, doubtless concentrating on customers of menace intelligence like cybersecurity professionals,” SentinelOne researchers Aleksandar Milenkoski and Tom Hegel stated in a report shared with The Hacker Information.
The North Korea-linked adversary, additionally recognized by the identify APT37, InkySquid, RedEyes, Ricochet Chollima, and Ruby Sleet, is assessed to be a part of the Ministry of State Safety (MSS), putting it aside from Lazarus Group and Kimsuky, that are parts inside the Reconnaissance Basic Bureau (RGB).
The group is understood for its concentrating on of governments and defectors, leveraging spear-phishing lures to ship RokRAT and different backdoors with the final word purpose of covert intelligence gathering in pursuit of North Korea’s strategic pursuits.
In August 2023, ScarCruft was linked to an assault on Russian missile engineering firm NPO Mashinostroyeniya alongside Lazarus Group in what has been deemed as a “extremely fascinating strategic espionage mission” designed to learn its controversial missile program.
Earlier this week, North Korean state media reported that the nation had carried out a check of its “underwater nuclear weapons system” in response to drills by the U.S., South Korea, and Japan, describing the workouts as a menace to its nationwide safety.
The newest assault chain noticed by SentinelOne focused an professional in North Korean affairs by posing as a member of the North Korea Analysis Institute, urging the recipient to open a ZIP archive file containing presentation supplies.
Whereas seven of the 9 information within the archive are benign, two of them are malicious Home windows shortcut (LNK) information, mirroring a multi-stage an infection sequence beforehand disclosed by Verify Level in Might 2023 to distribute the RokRAT backdoor.
There may be proof to recommend that a number of the people who have been focused round December 13, 2023, have been additionally beforehand singled out a month prior on November 16, 2023.
SentinelOne stated its investigation additionally uncovered malware – two LNK information (“inteligence.lnk” and “information.lnk”) in addition to shellcode variants delivering RokRAT – that is stated to be a part of the menace actor’s planning and testing processes.
Whereas the previous shortcut file simply opens the reliable Notepad software, the shellcode executed by way of information.lnk paves the way in which for the deployment of RokRAT, though this an infection process is but to be noticed within the wild, indicating its doubtless use for future campaigns.
The event is an indication that the nation-state hacking crew is actively tweaking its modus operandi doubtless in an effort to avoid detection in response to public disclosure about its ways and strategies.
“ScarCruft stays dedicated to buying strategic intelligence and presumably intends to achieve insights into personal cyber menace intelligence and protection methods,” the researchers stated.
“This permits the adversary to achieve a greater understanding of how the worldwide neighborhood perceives developments in North Korea, thereby contributing to North Korea’s decision-making processes.”
