HQ/EMEAFind out how we can help your business
ScarCruft, a North Korean advanced persistent threat group, has been using oversized LNK files as a vector to spread the RokRAT malware. The campaign has been operating since July last year, and RokRAT has remained as it has been over the years. However, some researchers claimed that the remote access trojan could now spread through different malicious tactics.
Researchers revealed that the current lures used by the attackers to spread RokRAT are for targeted South Korean foreign and domestic affairs. The threat group targets individuals connected to South Korea, such as entrepreneurs, novelists, and academics supporting North Koreans.
The ScarCruft campaign uses a more straightforward method for initiating an attack.
The LNK file attack strategy initiates the ScarCruft infection chain with a specific double-click feature. Experts claimed that the method is more efficient than an n-day exploit or the Office macros that require more clicks to start activating.
However, the threat group still uses macro-based Word documents to drop the malware. Earlier this week, a security researcher disclosed that a threat group uses LNK files as decoys to start an infection chain, where the archives utilise PowerShell prompts to launch RokRAT.
Malware analysis showed that RokRAT could perform different types of malicious actions such as detail gathering, data exfiltration, screenshotting, credential stealing, command, and shellcode execution, and file management.
The threat actors will then send the gathered information via Dropbox, iCloud, Yandex Cloud, and OneDrive, making the malicious command-and-communication tool look legitimate to security scanners. Some of the stolen files are in MP3 form.
Lastly, researchers noticed that the threat group adopted different malware strains for their attacks. The confirmed strains included are the GOLDBACKDOOR, Chinotto, M2RAT, BLUELIGHT, and Dolphin. The group could also use the Amadey loader commodity malware in some of their campaigns.
These strains could now target Android and macOS, implying that the threat group constantly upgrades their attack capabilities.
The ScarCruft has proven that it evolved into a dynamic threat that could deploy several campaigns while increasing the efficiency of its techniques. The group used custom and commodity malware with new delivery tactics, making them more dangerous.
Organisations should be aware of the latest trends around the cybercriminal landscape to create countermeasures against such threats.
