ScarCruft APT Group Shifts to LNK Files

Since 2022, ScarCruft has been using oversized LNK files embedded with malicious payloads, instead of relying on malicious documents. The malware is delivered via spear-phishing emails, with the lures used focused on South Korean foreign and domestic affairs, in Korean language.

The ROKRAT malware is being deployed via multi-stage infection chains initiated by LNK files, which was first discovered in July 2022, the same month that Microsoft began enforcing a new macro blocking rule.

Additionally, the ROKRAT malware has been used by ScarCruft in past attacks against South Korean users, using the popular Korean Microsoft Word alternative Hangul Word Processor (HWP). The end goal of the group is to deploy the ROKRAT on the victims’ systems.

ScarCruft has been active since at least 2012, but made the headlines in early 2018 when it leveraged a zero-day vulnerability in Adobe Flash Player to deliver malware to South Korean users. The ROKRAT ransomware relies on cloud infrastructure for C2, including DropBox, pCloud, Yandex Cloud, and OneDrive.

Furthermore, Check Point noted that the LNK file method has become a prominent delivery mechanism for the ROKRAT RAT, and the group is using unique implementations of a publicly available tool called EmbedExeLnk to deliver the malware. The experts noticed similarities between the implementation of ROKRAT and GOLDBACKDOOR implants, and observed the threat actors using multiple lures in ZIP and ISO archives.

In November 2022, a file called securityMail.zip was submitted to VirusTotal, containing two LNKs that have a size of just under 5 MB. The implementation of PowerShell commands within the two LNKs is unique and overlaps only with ROKRAT and GOLDBACKDOOR LNK infections, and in this case, the infection chain led to the deployment of the commodity malware Amadey, which was previously linked to Konni, another North Korea-linked actor that aligns with APT37.