Researchers discovered a new campaign by the North Korea-sponsored ScarCruft group targeting media organizations and high-profile experts in North Korean affairs. The campaign was first observed in December 2023 and was aimed at harvesting threat intelligence and defense strategies from organizations and experts.
Modus operandi
Based on findings by SentinelLabs, the attackers impersonated a member of the Institute for North Korean Studies (INKS) and sent an email from kirnchi122[@]hanmail[.]net, targeting an expert in North Korean affairs.
The email contained an attached archive file named ‘December 13th announcement.zip,’ which included nine malicious files and claimed to be presentation materials from a fabricated event related to the targeted individual.
To make it look more convincing, the email asserted that the meeting occurred on the same date the email was sent.
Among the nine files, seven were benign Hangul Word Processor (HWP) and PowerPoint documents while two were malicious LNK files.
Clicking on the links triggered the download of the RokRAT backdoor malware.
The malware used public Cloud services, such as pCloud and Yandex Cloud, for C2 communication.
More than one campaign
Researchers indicated that the campaign overlaps with another campaign in November 2023 as some of the individuals targeted in the December campaign were also targeted in November.
In November, a phishing email impersonating a member of the North Korea Research Institute was sent to potential victims.
The email contained two malicious HWP files and tricked the recipient into thinking that it was North Korean market price analysis data.
Other facts
ScarCruft has been observed to share operational characteristics with Kimsuky. These include infrastructure and C2 server configurations.
Moreover, the group’s previous activities indicate that it primarily collects intelligence that is aligned with the efforts of the Ministry of State Security (MSS) and in support of North Korean strategic interests.
Conclusion
A heightened awareness and better understanding of threats like ScarCruft helps organizations defend their network proactively. A modern-day TIP facilitates this by providing contextual and operational intelligence by automatically enriching, and correlating the IOCs.