Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
A threat actor believed to operate on behalf of the North Korean government is continuing to target media organizations and academics—and its newest malware indicates it’s on the hunt for insider tips against cybersecurity pros, according to SentinelLabs.
Over the last two months of 2023, ScarCruft hackers busied themselves targeting media organizations and academics specializing in North Korean affairs, SentinelLabs researchers wrote in a report. The researchers also acquired samples of ScarCruft malware that appeared to reflect various stages of development, shedding light on potential future attacks.
SentinelLabs researchers observed ScarCruft hackers use phishing emails to distribute the RokRAT backdoor malware, which the security firm describes as a “fully featured backdoor” useful for surveillance purposes. In one of the attacks, a suspected member of the group impersonating a member of the Seoul-based North Korea Research Institute distributed an archive via email that supposedly contained presentation materials from a recent human rights meeting.
Alongside innocuous materials, the archive contained malicious LNK files—Windows shortcut files that have become a popular vehicle for hackers after Microsoft took steps to limit malware via macros in 2022. According to SentinelLabs, RokRAT attacks utilize public cloud services to disguise command and control communications as legitimate traffic.
“We think that with this targeting, ScarCruft continues to fulfill its primary objective or goal of gathering strategic intelligence,” Aleksandar Milenkoski, a senior threat researcher at SentinelLabs, told IT Brew.
SentinelLabs researchers also discovered incomplete ScarCruft malware consisting of two oversized LNK files, public tooling, and shellcode variants linked to RokRAT infection. This campaign involved the use of an otherwise legitimate technical research document on another suspected North Korean advanced persistent threat (APT), Kimsuky, as a decoy.
According to Milenkoski, the use of a cybersecurity document as a decoy is unique and indicates ScarCruft may be experimenting with ways to steal non-public data from foreign cybersecurity professionals. The group is likely particularly interested in intel such as discussions of undisclosed vulnerabilities, what enemies know about its operations, and the state of defenses at potential targets, the report speculated.
“We have not observed ScarCruft or any North Korean threat actor using threat research materials as a decoy in this way,” Milenkoski said.
As The Record observed, Kimsuky has known ties to ScarCruft, and previous SentinelLabs research has indicated both groups may have been involved in the same attack on a Russian missile manufacturer in 2022. The extent of the APTs’ ties remains unknown, the report stated, beyond shared use of some pseudonyms.
ScarCruft is continually updating their techniques and malicious code patterns as part of their efforts to prevent ongoing tracking of their activities, Milenkoski added, but the group’s continued reliance on social engineering tactics means basic cybersecurity hygiene goes a long way towards limiting its effectiveness.
“The most effective defense strategy remains for users to remain aware and vigilant against phishing attempts or social engineering attacks, to be able to identify malicious attachments or intent in conversation,” Milenkoski said.