The North Korean threat actor known as ScarCruft began experimenting with large LNK files as a delivery route for the RokRAT malware since July 2022, the same month Microsoft began blocking macros in Office documents by default.
“RokRAT has not changed significantly over the years, but its deployment methods have evolved, now using archives containing LNK files that start multi-stage infection chains,” Check Point said in a new technical report.
“This is another representation of an important trend in the threat landscape, where both APTs and cybercriminals are trying to overcome macro blocking from untrusted sources.”
ScarCruft, also known as APT37, InkySquid, Nickel Foxcroft, Reaper, RedEyes, and Ricochet Chollima, is a threat group that almost exclusively targets individuals and entities in South Korea as part of spear phishing attacks designed to provide a range of personalized tools. .
The adversary group, unlike the Lazarus or Kimsuky Group, is overseen by North Korea’s Ministry of State Security (MSS), which is in charge of domestic counterintelligence and foreign counterintelligence activities, according to commanding
The main malware of choice for the group is RokRAT (aka DOGCALL), which has since been adapted to other platforms such as macOS (CloudMensis) and Android (RambleOn), indicating that the backdoor is being actively developing and maintaining.
RokRAT and its variants are equipped to carry out a wide range of activities such as stealing credentials, exfiltrating data, capturing screenshots, gathering system information, executing commands and shell codes and file and directory management.
The collected information, some of which is stored in the form of MP3 files to cover its tracks, is sent back through cloud services such as Dropbox, Microsoft OneDrive, pCloud and Yandex Cloud in an attempt to disguise the command and control (C2 ). ) communications as legitimate.
Other custom malware used by the group include, but are not limited to, Chinotto, BLUELIGHT, GOLDBACKDOOR, Dolphin and most recently M2RAT. Basic malware such as Amadey, a downloader that can receive commands from the attacker to download additional payloads, is also known to be used to attempt to confuse attribution.
The use of LNK files as decoys to trigger infection sequences was also highlighted by the AhnLab Security Emergency Response Center (ASEC) last week, with the files containing PowerShell commands that deploy the RokRAT malware.
While the change in modus operandi indicates ScarCruft’s efforts to keep up with the changing threat ecosystem, it has continued to leverage malicious macro-based Word documents until April 2023 to remove the software malicious, mirroring a similar chain that was reported by Malwarebytes in January. 2021
Another attack wave observed in early November 2022, according to the Israeli cybersecurity company, used ZIP archives that embedded LNK files to deploy the Amadey malware.
“[The LNK file] The method can trigger an equally effective infection chain with a simple double-click, more reliable than n-day exploits or Office macros that require additional clicks to launch,” Check Point said.
“APT37 continues to pose a considerable threat, launching multiple campaigns across all platforms and significantly improving its malware delivery methods.”
The findings come as Kaspersky revealed a new Go-based malware developed by ScarCruft codenamed SidLevel that uses the Ably cloud messaging service as a C2 mechanism for the first time and includes “extensive capabilities to steal sensitive information from the victims”.
“The group continues to target people connected to North Korea, including novelists, academic students, and also business people who appear to be sending funds to North Korea,” the Russian cybersecurity firm noted in its Trend Report APT for the first quarter of 2023.
Ikaroa, a full-stack tech company, has recently analyzed and acknowledged the troubling news that North Korea’s ScarCruft advanced persistent threat (APT) has unleashed a new campaign by exploiting Microsoft LNK files to deliver malware via malicious file overlays and file infection chains.
According to researchers, the malicious LNKs lead to the deployment of the RokRAT backdoor, first discovered more than a year ago. The malicious payload is delivered via file infection and overlay methods, which allows for a chain of attack that can install malware gradually, making the detection rate and initial response much lower than if malicious software was dropped directly on the victim’s machine.
RokRAT is classified as a remote access trojan (RAT), and once it is deployed on a victim machine, the malicious attackers can log keystrokes, steal data, access passwords, enable remote desktop access, and download other malicious programs.
Ikaroa urges everyone to take these findings seriously and take appropriate measures to ensure their own security and protect their systems. IT professionals should update their anti-virus and malware detection programs and remain vigilant, as malicious actors are more frequently targeting systems via malicious LNK files. Ikaroa’s security experts also recommend that organizations regularly apply OS patches, backup systems, and quickly identify any potential incidents or alerts.