Brother
Professional
- Messages
- 2,590
- Reaction score
- 533
- Points
- 113
Why did the attackers change their activity vector and what do they want to achieve with their actions?
In December 2023, media organizations and well-known experts on North Korean issues became the target of a new North Korean malware campaign organized by the hacker group ScarCruft. SentinelOne researchers reported that the group is experimenting with new ways of infection, using technical threat reports as a trap. From this, it can be concluded that hackers targeted cybersecurity specialists who regularly study intelligence.
ScarCruft, also known by its code names APT37, InkySquid, RedEyes, Ricochet Chollima, and Ruby Sleet, is allegedly linked to North Korea's Ministry of State Security. This distinguishes it from the Lazarus and Kimsuky groups, which are considered to be part of the DPRK's Main Intelligence Agency. The main purpose of ScarCruft, according to researchers, is to collect intelligence, including through phishing attacks, to meet the strategic interests of the DPRK.
North Korean state media recently reported testing an "underwater nuclear weapons system" in response to U.S., South Korean and Japanese exercises near the Korean Peninsula. The latest ScarCruft cyberattack, recorded by SentinelOne experts, was aimed at a foreign expert on North Korea, who was sent a ZIP archive allegedly containing presentation materials by mail.
Seven of the nine files in this archive turned out to be harmless, but the remaining two were malicious Windows shortcuts (lnks) used to distribute malicious RokRAT software. A similar multi-step process of infection with the same malware was already described by Check Point in May 2023.
However, ScarCruft regularly changes its methods in an attempt to circumvent detection following public disclosures of the group's tactics. According to the researchers, ScarCruft is committed to collecting strategic intelligence and may intend to gain insight into non-public cybersecurity and defense strategies of other countries.
"This allows attackers to better understand how the international community perceives events in the DPRK, and thus contributes to the decision-making processes within the country," the study says.
In December 2023, media organizations and well-known experts on North Korean issues became the target of a new North Korean malware campaign organized by the hacker group ScarCruft. SentinelOne researchers reported that the group is experimenting with new ways of infection, using technical threat reports as a trap. From this, it can be concluded that hackers targeted cybersecurity specialists who regularly study intelligence.
ScarCruft, also known by its code names APT37, InkySquid, RedEyes, Ricochet Chollima, and Ruby Sleet, is allegedly linked to North Korea's Ministry of State Security. This distinguishes it from the Lazarus and Kimsuky groups, which are considered to be part of the DPRK's Main Intelligence Agency. The main purpose of ScarCruft, according to researchers, is to collect intelligence, including through phishing attacks, to meet the strategic interests of the DPRK.
North Korean state media recently reported testing an "underwater nuclear weapons system" in response to U.S., South Korean and Japanese exercises near the Korean Peninsula. The latest ScarCruft cyberattack, recorded by SentinelOne experts, was aimed at a foreign expert on North Korea, who was sent a ZIP archive allegedly containing presentation materials by mail.
Seven of the nine files in this archive turned out to be harmless, but the remaining two were malicious Windows shortcuts (lnks) used to distribute malicious RokRAT software. A similar multi-step process of infection with the same malware was already described by Check Point in May 2023.
However, ScarCruft regularly changes its methods in an attempt to circumvent detection following public disclosures of the group's tactics. According to the researchers, ScarCruft is committed to collecting strategic intelligence and may intend to gain insight into non-public cybersecurity and defense strategies of other countries.
"This allows attackers to better understand how the international community perceives events in the DPRK, and thus contributes to the decision-making processes within the country," the study says.
