The North Korean cyber espionage group ScarCruft has been active since at least 2012, operating exclusively on targets in South Korea. Lately, researchers have taken a closer look at the group’s malware and tactics, revealing some interesting insights.
Background on ScarCruft
ScarCruft is a state-sponsored cyber espionage group with links to the North Korean government. Its primary focus is on targets in South Korea, where it has been active since at least 2012. The group has been associated with several attacks on government and military organizations, as well as on companies in the telecommunications, software development, and healthcare sectors.
Affiliation with North Korea’s Ministry of State Security (MSS)
There is strong evidence to suggest that ScarCruft is a subordinate element within North Korea’s Ministry of State Security (MSS). This agency is responsible for the country’s internal security, counter-espionage, and external intelligence operations. ScarCruft’s focus on cyber espionage in South Korea is likely linked to Pyongyang’s interest in the political and military affairs of its southern neighbor.
Spear-phishing attacks using LNK files
In recent months, ScarCruft has been using LNK files to trigger multi-stage infection sequences. These spear-phishing attacks have been identified by security researchers at the AhnLab Security Emergency Response Center (ASEC) and Check Point. The LNK files have been in use by various cybercriminal groups for years, but ScarCruft’s specific usage and delivery mechanics have yet to be seen before.
Importance of ScarCruft’s Windows Backdoor – DOGCALL
ScarCruft’s Windows backdoor, also known as DOGCALL, is one of its primary malware tools. It is actively developed and maintained by the group and has been ported to other operating systems such as macOS and Android. DOGCALL enables ScarCruft to conduct various malicious activities on infected systems, including stealing sensitive information and executing arbitrary commands from a remote server.
Capabilities of RokRAT
ScarCruft has relied heavily on a sophisticated remote access trojan (RAT) called RokRAT. This malware gives the group the ability to harvest system metadata, take screenshots, execute arbitrary commands received from a remote server, enumerate directories, and exfiltrate files of interest. The RAT is also capable of completely compromising an infected system, giving attackers full access and control over it.
Attack strategy using disguised executable
ScarCruft’s attack strategy typically involves a Windows executable masquerading as a Hangul document. This productivity software is widely used by public and private organizations in South Korea, making it an attractive vector for delivery of the group’s signature malware, RokRAT. The disguised executable drops malware that is configured to contact an external URL every 60 minutes.
The role of RokRAT in ScarCruft’s attack chain
RokRAT is a critical component within the ScarCruft attack chain. The RAT has been observed to be deployed as part of multi-layered spear-phishing attacks, typically starting with a lure email that includes an embedded LNK file. Exploitation of vulnerabilities in Hancom’s Hangul Word Processor, which is frequently utilized in South Korea, has been used to deliver the malware, allowing ScarCruft to maintain stealth and persistence within target networks.
ScarCruft relies on social engineering heavily
As with many cyber espionage groups, ScarCruft has heavily relied on social engineering to spear-phish victims and deliver payloads onto target networks. This includes everything from carefully crafted lures and false promises to the exploitation of victims’ curiosity, confusion, and fear. Additionally, the malware delivered through these social engineering campaigns has been designed to evade detection and remain covert.
North Korea’s ScarCruft cyber espionage group remains a major threat to targets in South Korea. The group’s affiliation with the Ministry of State Security, combined with its sophisticated remote access Trojan (RAT) and attack techniques, makes it difficult to detect and defend against. However, as with all cyber threats, a combination of strong security measures, vigilant employees, and early detection can go a long way in mitigating the risks. Organizations targeted by ScarCruft or similar threat actors should seek expert counsel and take steps to maximize their defenses.