A recent report issued by SentinelLabs has shed light on a new test campaign by the North Korean advanced persistent threat (APT) group, ScarCruft. The report suggests that the group has been targeting cybersecurity professionals and experts in North Korean affairs, particularly those located in South Korea.
According to the report, ScarCruft has been engaging in a persistent information-gathering campaign, with the aim of obtaining strategic intelligence related to developments in North Korea. The group’s activities are believed to contribute to their understanding of how the international community, particularly the West, perceives developments in North Korea, thus aiding their decision-making processes.
In addition to targeting cybersecurity professionals, SentinelLabs also retrieved malware that is currently in the planning and testing phases of ScarCruft’s development cycle. The malware includes a spectrum of shellcode variants that deliver RokRAT public tooling and two oversized LNK files, created by Windows automatically when users open files, named inteligence.lnk and news.lnk. This malware is designed to run additional payloads and enable data exfiltration. It uses a public threat research report on North Korean threat actor Kimsuky as a decoy. The report, written in Korean, comes from Genians, a South Korean cybersecurity company.
Aleksandar Milenkoski, Senior Threat Researcher at SentinelLabs, noted that while North Korean threat actors have targeted infosec professionals in the past through social engineering attacks, this is the first time they have observed the use of threat research reports as decoys.
These findings are in line with previous campaigns by nation-state actors targeting security researchers. For instance, a government-backed North Korean entity was found to have employed several means to target security researchers working on vulnerability research and development at different companies and organizations. One tactic involved creating fake profiles and blogs to build credibility with researchers before seeking to collaborate on research.
Similarly, an unknown threat actor created phony GitHub accounts from non-existent and legitimate cybersecurity companies, while a suspected North Korean group created fake LinkedIn accounts, posing as recruiters to lure cybersecurity professionals. In these instances, threat actors used social media sites to build rapport with their targets, sometimes carrying on months-long conversations in a bid to ultimately send them malicious files containing a zero-day exploit.
These campaigns underscore the value placed on targeting cybersecurity professionals and threat analysts by nation-state APT actors. Not only can they provide access to non-public intelligence regarding malware and mitigations, but they can also become attack vectors through which security firms themselves could become victims.
It is clear that the cybersecurity community needs to remain vigilant and proactive in protecting themselves against these sophisticated and targeted attacks. As nation-state actors continue to adapt and evolve their tactics, it is essential that information security personnel are aware of the various methods through which they may be targeted and take necessary precautions to safeguard themselves and their organizations.