A glimpse into future ScarCruft campaigns - Attackers gather strategic intelligence and target cybersecurity professionals
January 2024 by SentinelLabs
In collaboration with NK News, SentinelLabs has been tracking campaigns targeting experts in North Korean affairs from South Korea’s academic sector and a news organisation focused on North Korea. SentinelLabs has observed persistent targeting of the same individuals over a span of two months. Based on the specific malware, delivery methods, and infrastructure, SentinelLabs assessed with high confidence that the campaigns are orchestrated by ScarCruft. Also known as APT37 and InkySquid, ScarCruft is a suspected North Korean advanced persistent threat (APT) group with a long history of targeted attacks against individuals as well as public and private entities, primarily in South Korea.
In addition, SentinelLabs retrieved malware that they assess is currently in the planning and testing phases of ScarCruft’s development cycle and will likely be used in future campaigns. In an interesting twist, ScarCruft is testing malware infection chains that use a technical threat research report on Kimsuky as a decoy document. Kimsuky is another suspected North Korean threat group observed to share operational characteristics with ScarCruft, like infrastructure and C2 server configurations. Given ScarCruft’s practice of using decoy documents relevant to targeted individuals, it is suspected that the planned campaigns will likely target consumers of technical threat intelligence reports, like threat researchers, cyber policy organisations, and other cybersecurity professionals.
By targeting high-profile experts in North Korean affairs and news organisations focused on North Korea, ScarCruft continues to fulfil its primary objective of gathering strategic intelligence. This enables the adversary to gain a better understanding of how the international community perceives developments in North Korea, thereby contributing to North Korea’s decision-making processes.
ScarCruft’s focus on consumers of technical threat intelligence reports suggests an intent to gain insights into non-public cyber threat intelligence and defence strategies. This helps in identifying
potential threats to their operations and contributes to refining their operational and evasive approaches. As SentinelLabs continues to track suspected North Korean threat actors and their pace of experimentation, they assess ScarCruft has a growing interest in mimicking cybersecurity professionals and businesses, ultimately for use in the targeting of specific customers and contacts directly, or more broadly through brand impersonation.
· SentinelLabs observed a campaign by ScarCruft, a suspected North Korean APT group, targeting media organisations and high-profile experts in North Korean affairs.
· SentinelLabs has recovered malware in the planning and testing phases of Scarcruft’s development cycle, presumably intended for use in future campaigns.
· ScarCruft has been experimenting with new infection chains, including the use of a technical threat research report as a decoy, likely targeting consumers of threat intelligence like cybersecurity professionals.
· ScarCruft remains committed to acquiring strategic intelligence and possibly intends to gain insights into non-public cyber threat intelligence and defence strategies.
The findings outlined in the report highlight ScarCruft’s ongoing dedication to gathering strategic intelligence through targeted attacks. SentinelLabs’ insight into ScarCruft’s malware testing activities reveals the adversary’s commitment to innovating its arsenal and expanding its target list, likely intending to target and/or masquerade as cybersecurity professionals or businesses.
SentinelLabs has observed the group experimenting with new infection chains inspired by those they have used in the past. This involves modifying malicious code implementations and excluding certain files from the infection steps, likely as a strategy to evade detection based on filesystem artifacts and the known ScarCruft techniques that have been publicly disclosed by the threat intelligence community.
SentinelLabs suspects that ScarCruft is pursuing non-public cyber threat intelligence and defence strategies. This could benefit not only ScarCruft specifically but also the other constituent groups within the North Korean threat landscape, aiding them in identifying threats to their operations and improving their operational playbooks.
A heightened awareness and better understanding of the adversary’s attack and infection methods among potential targets are crucial for effective defence. SentinelLabs remains actively engaged in tracking ScarCruft activities and supporting the organisations and individuals at risk of being targeted.