North Korean threat group ScarCruft (aka APT37) has been spotted using oversized LNK files as a delivery method to distribute RokRAT malware since July 2022. RokRAT hasn’t changed notably over the years, although its deployment tactics have evolved. It now uses archives including LNK files that begin multi-stage infection chains.

Recent infection campaigns

According to Checkpoint, the lures used in the recent RokRAT infections are focused on South Korean foreign and domestic affairs. 
  • It is believed that ScarCruft is targeting individuals connected to North Korea, including academics, novelists, and entrepreneurs who are believed to be providing financial support to North Korea.
  • The LNK file technique triggers an infection chain with a simple double click. It is more effective than n-day exploits or the Office macros requiring additional clicks to launch.
  • In addition to the new LNK files, the threat group is still using macro-based Word documents, to drop the malware. This is a similar attack chain that was documented by Malwarebytes in January 2021.

A few days ago, AhnLab disclosed the use of LNK files as decoys to activate the infection sequences, where the files use PowerShell commands to deploy RokRAT.

About RokRAT

RokRAT is equipped to perform different types of actions such as gathering system detail, exfiltrating data, capturing screenshots, stealing credentials, executing commands and shellcode, and managing file/directory.
  • The collected information, some saved in the form of MP3 files, is sent back using Dropbox, OneDrive, pCloud, and Yandex Cloud to mask the C2 communications as genuine.
  • Other malware used by the threat group include Chinotto, GOLDBACKDOOR, BLUELIGHT, M2RAT, and Dolphin. Additionally, the group uses the Amadey loader commodity malware.

The malware is capable of targeting macOS (CloudMensis) and Android (RambleOn), implying that criminals are actively developing and maintaining it.

Conclusion

ScarCruft is a dynamic threat known for launching numerous campaigns while improving its malware delivery techniques. Along with new delivery tactics, the group is using both custom and commodity malware, making it difficult to predict and resist. Therefore, organizations are suggested to be well aware of the evolving threats and mount a proactive defense to stay safe against such evolving threats.
Cyware Publisher

Publisher

Cyware