HQ/EMEAFind out how we can help your business
A revitalised cybercriminal operation from the North Korea-sponsored ScarCruft group currently targets media organisations and high-profile experts in North Korean affairs.
Based on reports, this newly discovered campaign started in December last year. The hackers strategically designed this campaign to harvest valuable threat intelligence and defence strategies from targeted organisations and experts.
North Korean-backed ScarCruft group leverages a new strategy for this campaign.
According to investigations, the ScarCruft group adopts a deceptive modus operandi in their latest campaign. Initial assessment revealed that these attackers pose as members of the Institute for North Korean Studies (INKS) and disseminate phishing emails from the address kirnchi122[@]hanmail[.]net to an expert in North Korean affairs.
Moreover, the email contained an attached archive file named ‘December 13th announcement.zip,’ allegedly presenting materials from a fabricated event related to the targeted individual. In addition, the attackers falsely claimed in the email that the meeting happened on the same date they sent it to enhance credibility.
The archive contained nine files, seven seemingly harmless Hangul Word Processor (HWP), PowerPoint documents, and two malicious LNK files. However, clicking on the links within these files will initiate the download of the RokRAT backdoor malware, which utilised public cloud services like pCloud and Yandex Cloud for C2 communication.
Additionally, researchers explain that this campaign raises more concerns as this incident overlaps with a previous one in November 2023. Some individuals targeted in the December operation also received phishing emails during the November campaign. In November, ScarCruft deployed a similar strategy of impersonating a North Korea Research Institute member to send malicious HWP files under the guise of North Korean market price analysis data.
Further analysis disclosed that ScarCruft shares operational characteristics with Kimsuky, including infrastructure and command-and-control server configurations. The group’s past activities suggest a primary focus on gathering intelligence aligned with the efforts of the Ministry of State Security (MSS) to support the North Korean military development.
The re-emergence of ScarCruft emphasises that targeted individuals should be prompted by these campaigns to increase their awareness. These individuals should also have a comprehensive understanding of these cyber threats.
As ScarCruft continues to evolve, organisations should remain vigilant and adopt robust cybersecurity strategies to protect systems from potential breaches and data compromise.
