Threat Research

Rewterz Threat Alert – APT37 Aka ScarCruft or RedEyes – Active IOCs – Rewterz

Securonix

APT37 (ScarCruft/Red Eyes) is a North Korean state-sponsored cyber-espionage group active since 2012, primarily targeting South Korea but with operations in many other countries. It has moved to distributing RokRAT via LNK files containing PowerShell commands and leverages cloud services like Dropbox, pCloud, Yandex Cloud, and OneDrive for C2 and data exfiltration. #APT37 #ScarCruft #RedEyes #RokRAT #PowerShell #Dropbox

Keypoints

  • APТ37 (ScarCruft/Red Eyes) is a North Korean state-sponsored cyber espionage group active since 2012, targeting South Korea and other nations worldwide.
  • Historically linked campaigns from 2016–2018 include Operation Daybreak, Erebus, Golden Time, Evil New Year, North Korean Human Rights, and Evil New Year 2018, with tools such as Goldbackdoor and RokRAT.
  • RedEyes has distributed CHM malware disguised as a security email from a Korean financial company and now distributes RokRAT via LNK files containing PowerShell commands.

MITRE Techniques

  • [T1059.001] PowerShell – The LNK files discovered contain PowerShell commands, which enable the execution of malicious actions. [‘The LNK files discovered contain PowerShell commands, which enable the execution of malicious actions.’]
  • [T1082] System Information Discovery – RokRAT collects machine-specific information to tailor its actions. [‘This data collection phase likely serves the purpose of helping the attackers identify whether the infected machine aligns with their desired targets.’]
  • [T1102] Web Service – RokRAT uses cloud services to communicate with the attacker’s infrastructure. [‘It makes use of reputable cloud services such as Dropbox, pCloud, Yandex Cloud, and OneDrive to communicate with the attacker’s infrastructure.’]
  • [T1027] Obfuscated/Compressed Files and Information – The malware employs encryption techniques to obfuscate its network communication. [‘encryption techniques to obfuscate its network communication’]

Indicators of Compromise

  • [MD5] – e8d3d6dbec4bc86ece8a44b16f1e3e2e, 920ccffa488d2b0e9aa19acc5f31fc3a
  • [SHA-256] – 194354cae93878dc3ba6ca2f71b70452ea0f1ac9d62f95431e5d3483b4f83074, b364bac52981edd74fbc45cca4216e66da5df9918000cc4617156ab42c914e7e
  • [SHA-1] – dcf9418847bf5e43c2765d615febd7b4bae010b8, 40e1912a525c64f2dc582f2e1c87521706889d6d
  • [URL] – http://goodmarket.or.kr/admin/sms/net.php, http://goodmarket.or.kr/admin/sms/3.html

Read more: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-apt37-aka-scarcruft-or-redeyes-active-iocs-2/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint