North Korean threat actor ScarCruft, also known as APT37, has launched a new cyber espionage campaign targeting media organizations and experts in North Korean affairs. The campaign, observed in December 2023, employed a technical threat research report as a decoy, particularly aiming at consumers of threat intelligence such as cybersecurity professionals. ScarCruft, associated with the Ministry of State Security (MSS), distinguishes itself from other North Korean groups like Lazarus Group and Kimsuky. Known for spear-phishing lures, it leverages backdoors like RokRAT for covert intelligence gathering to support North Korea’s strategic interests.
In a recent attack chain, ScarCruft targeted a North Korean affairs expert by posing as a member of the North Korea Research Institute. The decoy urged the recipient to open a ZIP archive file containing presentation materials. While most files were benign, two malicious Windows shortcut files (LNK) mirrored a multi-stage infection sequence, delivering the RokRAT backdoor. The attack victims, targeted on December 13, 2023, were also identified a month earlier on November 16, 2023. SentinelOne’s investigation uncovered malware and shellcode variants, indicating the threat actor’s planning and testing processes.
The attack highlights ScarCruft’s adaptation and active tweaking of its tactics, likely in response to public disclosure about its methods. The threat actor seeks to acquire strategic intelligence and gain insights into non-public cyber threat intelligence and defense strategies. This allows ScarCruft to understand how the international community perceives developments in North Korea, contributing to the nation’s decision-making processes. The evolving nature of the cyber espionage campaign suggests a continuous effort to avoid detection and maintain effectiveness in achieving its objectives.
