SentinelLabs observed ScarCruft targeting North Korea-focused media and experts, with malware found in planning and testing phases for future campaigns. The group is experimenting with new infection chains that use decoy threat reports to attract threat-intelligence consumers, and appears intent on gathering strategic cyber threat intelligence. Hashtags: #ScarCruft #RokRAT #Kimsuky #InkySquid #DailyNK #CherryServers #Genians
Keypoints
- ScarCruft targeted media organizations and North Korea experts in South Korea, showing persistent targeting over two months.
- Malware samples were recovered in ScarCruft’s planning/testing phase, suggesting preparation for future campaigns.
- The campaign uses decoy threat intel documents (including Kimsuky-related material) to lure threat-intelligence consumers.
- Infection chains employ oversized LNK files delivering RokRAT with multi-stage execution and evasion techniques.
- Decoded and hex-encoded PowerShell payloads, batch files, and XOR-decrypted archives deliver RokRAT via public cloud C2 (e.g., pCloud, Yandex Cloud).
- Metadata and infrastructure hints (e.g., “bandi” pseudonym) suggest links to Kimsuky and overlapping threat activity; campaigns also overlapped with prior ScarCruft operations.
MITRE Techniques
- [T1566.001] Phishing – Spearphishing Attachment – A phishing email impersonating a member of the North Korea Research Institute was used to deliver a malicious archive containing LNKs. ‘A phishing email, impersonating a member of the North Korea Research Institute (Institute for North Korean Studies – INKS), was sent …’
- [T1023] Shortcut Modification – LNK files disguise themselves as Hanword documents using the Hangul Word Processor icon, blending in with benign files. ‘LNK files disguise themselves as Hanword documents, using the Hangul Word Processor icon (the Icon location …)’
- [T1059.001] PowerShell – PowerShell code executed by the LNK files decodes and runs payloads, including scripts extracted from the LNK and a hex-encoded PowerShell script; ‘The decoded script downloads from a major Cloud file hosting provider …’
- [T1027] Obfuscated/Compressed Files and Information – The hex-encoded PowerShell script and XOR-decryption of myprofile.zip exemplify data obfuscation and payload decoding. ‘XOR-decrypts the file using the first byte as an XOR key, and executes the decrypted content’
- [T1071.001] Web Protocols – RokRAT uses public cloud storage (pCloud, Yandex Cloud) for C2, disguising malicious communication as legitimate traffic. ‘RokRAT uses public Cloud services for command-and-control purposes …’
Indicators of Compromise
- [SHA-1 Hashes] – intelligence.lnk, Malicious HWP document, Malicious Office document. Examples: 0ED884A3FC5C28CDB8562CD28993B30991681B0A, 2F78ABC001534E28EB208A73245CE5389C40DDBE
- [Domains] – app.documentoffice.club, nav.offlinedocument.site, instantreceive.org. Examples: app.documentoffice.club, nav.offlinedocument.site
- [URLs] – C2 and download URLs such as http://app.documentoffice.club/salt_view_doc_words?user=8B86CA616964A84Y7A75B950, http://nav.offlinedocument.site/capture/parts/you?view=5JV0FAGA6KW1GBHB7LX2HCIC
- [IP Addresses] – 84.32.129.32, 84.32.131.104 (Cherry Servers VPS). Examples: 84.32.129.32, 84.32.131.104
- [Email Addresses] – [email protected], [email protected]
- [File Names] – intelligence.lnk, 111223.bat, public.dat, myprofile.zip, news.lnk. Examples: intelligence.lnk, 111223.bat