North Korean ScarCruft Spreads RokRAT Malware via LNK File Infection Chain
North Korea’s threat actor is known as ScarCruft began experimenting with large LNK files as a delivery route for RokRAT malware in July 2022, the same month Microsoft started blocking macros across Office documents by default.
“RokRAT has not changed significantly over the years, but its deployment methods have evolved, now using archives containing LNK files that initiate multi-stage infection chains,” Check Point said in a new technical report.
“This is yet another representation of a major trend in the threat landscape, where APTs and cybercriminals alike are working to overcome macro-blocking from untrusted sources.”
ScarCruft, also known as APT37, InkySquid, Nickel Foxcroft, Reaper, RedEyes, and Ricochet Chollima, is a threat group that almost exclusively targets South Korean individuals and entities as part of spear-phishing attacks designed to deliver a variety of specialized tools.
Hostile collectives, unlike the Lazarus or Kimsuky Groups, are supervised by the Ministry of State Security of North Korea (MSS), assigned to domestic counterintelligence and foreign counterintelligence activities, per Mandiant.
The group’s top choice malware is RokRAT (aka DOGCALL), which has been adapted to other platforms such as macOS (CloudMensis) and Android (RambleOn), indicates that backdoors are being actively developed and maintained.
RokRAT and its variants are equipped to perform various activities such as credential theft, data exfiltration, screen capture, system information gathering, command and shell code execution, and file and directory management.
The collected information, some of which is stored as MP3 files to cover its tracks, is sent back using cloud services such as Dropbox, Microsoft OneDrive, pCloud, and Yandex Cloud in an attempt to disguise command-and-control (C2) communications as legitimate.
Other bespoke malware used by the group includes, but is not limited to, Chinotto, BLUELIGHT, GOLDBACKDOOR, Dolphin, and, most recently, M2RAT. It has also been known to use commodity malware such as Amadey, a downloader that can take orders from attackers to download additional payloads, in an attempt to confuse attribution.
The use of LNK files as bait to activate infection sequences was also highlighted by the AhnLab Security Emergency Response Center (ASEC) last week, with files containing the PowerShell commands that spread the RokRAT malware.
While the change in modus operandi signals ScarCruft’s efforts to keep up with the ever-changing threat ecosystem, it continues to leverage a malicious, macro-based Word document as recently as April 2023 to take down malware, mirroring similar chains previously reported by Malwarebytes in January 2021.
Learn How to Stop Ransomware with Real-Time Protection
Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.
Another wave of attacks was observed in early November 2022, according to an Israeli cybersecurity firm, using ZIP archives that incorporate LNK files to spread Amadey malware.
“The (LNK file) method can trigger infection chains just as effectively with a simple double click, which is more reliable than n-day exploits or Office macros that require an additional click to launch,” Check Point said.
“APT37 continues to pose a sizeable threat, launching multiple campaigns across platforms and significantly improving its malware delivery methods.”
The findings come as Kaspersky unveils a new Go-based malware developed by ScarCruft codenamed SidLevel that leverages cloud messaging service Aly as a C2 mechanism for the first time and comes with “extensive capabilities to steal sensitive information from victims.”
“The group continues to target individuals associated with North Korea, including novelists, academic students, as well as business people who appear to be sending funds back to North Korea,” the Russian cybersecurity firm said. noted in the APT Trends Report for Q1 2023.
