North Korean defectors, journalists who cover North Korea-related news, and entities in South Korea are being zeroed in on by a nation-state-sponsored advanced persistent threat (APT) as part of a new wave of highly-targeted surveillance attacks.
Russian cybersecurity firm Kaspersky attributed the infiltrations to a North Korean hacker group tracked as ScarCruft, also known as APT37, Reaper Group, InkySquid, and Ricochet Chollima.
“The actor utilized three types of malware with similar functionalities: versions implemented in PowerShell, Windows executables and Android applications,” the company’s Global Research and Analysis Team (GReAT) said in a new report published today. “Although intended for different platforms, they share a similar command and control scheme based on HTTP communication. Therefore, the malware operators can control the whole malware family through one set of command and control scripts.”
Likely active since at least 2012, ScarCruft is known for targeting public and private sectors situated in South Korea with an aim to plunder sensitive information stored in the compromised systems, and has been previously observed using a Windows-based backdoor called RokRAT.
The primary initial infection vector used by APT37 is spear-phishing, in which the actor sends an email to a target that is weaponized with a malicious document. In August 2021, the threat actor was unmasked using two exploits in the Internet Explorer web browser to infect victims with a custom implant known as BLUELIGHT by staging a watering hole attack against a South Korean online newspaper.
images from Hacker News