ScarCruft ( APT37)

Initial Access: ScarCruft employs a variety of initial access vectors, with social engineering being a cornerstone of their approach. They utilize highly targeted spear-phishing emails, often impersonating trusted individuals or organizations. These emails may contain malicious attachments (such as HWP, DOC, or LNK files) or links to compromised websites (watering hole attacks). They have also been observed using torrent file-sharing for more indiscriminate malware distribution.

Exploitation: ScarCruft has a history of exploiting vulnerabilities in Adobe Flash, Microsoft Internet Explorer/Edge's scripting engine, and, notably, Hangul Word Processor (HWP). They possess and utilize zero-day vulnerabilities (e.g., CVE-2018-0802, CVE-2024-38178), demonstrating their advanced capabilities. They have also utilized known vulnerabilities like CVE-2020-1380 and CVE-2021-26411. If you are interested in knowing CVSS score , here is the guide.

Execution & Persistence: The APT group uses various methods to execute their malware and achieve persistence. They utilize Windows Script Host (WSH), PowerShell scripts, and malicious JavaScript embedded in websites. For persistence, they often leverage scheduled tasks, registry run keys, or service creation. ScarCruft has also been observed using steganography, hiding malicious code or data within seemingly benign files (like images). Understanding Windows Registry structure is important here.

Command and Control (C2): ScarCruft employs a sophisticated and evolving C2 infrastructure to maintain communication with compromised systems. They utilize compromised servers, legitimate messaging platforms, and cloud service providers (e.g., Dropbox, Google Cloud, pCloud, Yandex Cloud, Microsoft Graph API) to evade detection and blend in with normal network traffic. They demonstrate a strong understanding of operational security (OPSEC), frequently changing their infrastructure and employing encryption to protect their communications.

Malware and Tools: ScarCruft utilizes a diverse suite of custom and publicly available malware. Some notable examples include:

Lateral Movement: ScarCruft demonstrates the capability to move laterally within compromised networks, searching for additional targets and sensitive data. They utilize techniques like remote services and valid accounts for this purpose.

Data Exfiltration: The group's primary objective is to exfiltrate sensitive data. They target a wide range of information, including documents, credentials, and communications from applications like KakaoTalk and WeChat. They often use cloud services for data exfiltration, further complicating detection efforts.

Testing and Development: Recent research indicates that ScarCruft is actively involved in testing and developing new malware and infection chains. This includes experimenting with new techniques like using oversized LNK files and decoy documents related to threat research (e.g., reports on Kimsuky). As cybersecurity becomes more crucial, more people choose ethical hacking as a career.

Geographic Focus:

Industry Verticals:

Political Motivations & Potential Impact: ScarCruft is believed to be operated by North Korean intelligence agencies, they have two goals. One is financial motivation, and the other is political motivation. Their cyberattacks pose many risks like Data breaches, Espionage, Operational disruption, and Intellectual Property theft.

Strategic Intelligence Gathering: ScarCruft's operations are designed to gather strategic intelligence that can inform North Korean policy and decision-making. This includes information on:

Operation Daybreak (2016): Targeted South Korean government and military entities, leveraging vulnerabilities in Hangul Word Processor (HWP).

Operation Erebus (2017): Utilized watering hole attacks to compromise websites frequented by targets of interest.

Operation Code on Toast (2024): Exploited a zero-day vulnerability (CVE-2024-38178) in the Windows Scripting Engine (Internet Explorer Mode in Edge) through compromised "toast" advertisement programs in South Korea, leading to the deployment of RokRAT.

Daily NK Strategic Web Compromise (2021): Injected malicious code into the Daily NK website (a South Korean online newspaper focusing on North Korean issues), exploiting vulnerabilities in Internet Explorer (CVE-2020-1380 and CVE-2021-26411) to deliver Cobalt Strike and BLUELIGHT malware.

Late 2023 Campaigns: Involved phishing emails impersonating members of North Korean research institutes and news organizations, using malicious LNK and HWP files to deliver RokRAT. These campaigns also targeted cybersecurity professionals by using threat research reports as decoys.

Multiple campaigns utilizing diverse attack vectors (2022-2023): ScarCruft employed various methods to deliver the Chinotto PowerShell backdoor, including CHM files, malicious Excel Add-ins (XLL), LNK files, macro-based MS Office documents, and HWP files with embedded OLE objects. To understand security you should also know Basics of Linux .

Security Awareness Training: Educate users about the risks of phishing emails, suspicious attachments, and malicious links. Emphasize the importance of verifying the sender's identity and avoiding clicking on links or opening attachments from untrusted sources. This is particularly crucial given ScarCruft's heavy reliance on phishing attacks or social engineering.

Patch Management: Implement a robust patch management program to ensure that all software, including operating systems, applications (especially HWP, Adobe Flash, and browsers), and security tools, are up-to-date with the latest security patches. This is critical for mitigating the risk of exploitation of known vulnerabilities. Here's an article about patch management strategy.

Endpoint Detection and Response (EDR): Deploy EDR solutions to monitor endpoint activity for malicious behavior, such as unusual process execution, file modifications, and network connections. EDR can help detect and respond to ScarCruft's malware and TTPs.

Network Monitoring: Implement network intrusion detection and prevention systems (IDS/IPS) to monitor network traffic for suspicious activity, such as connections to known C2 servers or unusual data exfiltration patterns. You need to implement security logging and monitoring.

Threat Intelligence: Leverage threat intelligence feeds and platforms to stay informed about ScarCruft's latest TTPs, IOCs, and campaigns. This information can be used to proactively adjust security controls and hunt for potential threats.

Multi-Factor Authentication (MFA): Implement MFA for all critical systems and accounts to reduce the risk of credential theft and unauthorized access.

Application Control: Restrict the execution of unauthorized applications, particularly those commonly used by ScarCruft, such as mshta.exe.

Macro Security: Disable or restrict macros in Microsoft Office applications, as these are often used as an initial infection vector.

Cloud Security Monitoring: Monitor cloud service usage for suspicious activity, as ScarCruft frequently leverages cloud platforms for C2 and data exfiltration.

Incident Response Plan: Develop and regularly test an incident response plan to ensure that your organization can effectively respond to and recover from a ScarCruft intrusion. Knowing about the incident response lifecycle is a must.

YARA rules: Implement and update the Yara rules for ScarCruft-associated malware detection.

North Korean Hackers Deploy New OtterCookie Malware Targeting Software Developers

North Korean Hackers Embed Malware in macOS Flutter Apps, Targets Cryptocurrency Users

North Korean Hackers Steal $50 Million from Radiant Capital DeFi Platform

Lazarus Group

Kimsuky (APT43)