Unveiling ScarCruft’s Campaign Against North Korea Analysts

by ·

In December 2023, media organizations and prominent North Korean affairs experts became the targets of a new malicious campaign orchestrated by the hacker group ScarCruft. Researchers at SentinelOne reported that the group is experimenting with new infection methodologies, employing technical threat reports as a lure. This suggests that the hackers are specifically targeting cybersecurity specialists who regularly analyze intelligence data.

ScarCruft, also known by code names such as APT37, InkySquid, RedEyes, Ricochet Chollima, and Ruby Sleet, is purportedly linked to North Korea’s Ministry of State Security. This distinguishes it from groups like Lazarus and Kimsuky, which are believed to be part of the DPRK’s Reconnaissance General Bureau. According to researchers, ScarCruft’s primary objective is intelligence gathering, including through phishing attacks, to serve the strategic interests of North Korea.

Infection chain: news.lnk | Image: SentinelOne

Recently, North Korean state media reported on the testing of an underwater nuclear weapons system in response to military exercises conducted by the USA, South Korea, and Japan near the Korean Peninsula. The latest cyberattack by ScarCruft, as detected by SentinelOne experts, targeted a foreign North Korea expert, who received a ZIP archive via email purportedly containing presentation materials.

Out of the nine files in this archive, seven were harmless, while the remaining two were malicious Windows shortcuts (LNK) used to disseminate the RokRAT malware. A similar multi-stage infection process involving this malware had previously been described by Check Point in May 2023.

Nonetheless, ScarCruft regularly alters its methods in an attempt to evade detection following public disclosures of its tactics. According to researchers, ScarCruft is keen on collecting strategic intelligence and possibly aims to gain insights into the undisclosed cybersecurity and defense strategies of other nations.

“This allows the attackers to better understand how the international community perceives events in North Korea, thereby facilitating decision-making processes within the country,” the study states.

Tags: