Cybersecurity researchers have offered to take a closer look at the RokRAT remote access trojan used by North Korea’s state-sponsored actor known as ScarCruft.
“RokRAT is a sophisticated remote access trojan (RAT) that has been observed to be a critical component in attack chains, enabling threat actors to gain unauthorized access, extract sensitive information, and potentially maintain ongoing control over compromised systems,” ThreatMon said.
ScarCruft, active since at least 2012, is a cyber espionage group operating on behalf of the North Korean government, focused exclusively on targets in its southern partners.
The group is believed to be a subordinate element within North Korea’s Ministry of State Security (MSS). The chain of attacks mounted by the group relies heavily on social engineering to spearhead victims and deliver payloads into the target’s network.
This includes exploiting a vulnerability in Hancom’s Hangul Word Processor (HWP), a productivity software widely used by public and private organizations in South Korea, to deliver its signature malware dubbed RokRAT.
The Windows backdoor, also called DOGCALL, is actively developed and maintained, and has since ported over to other operating systems such as macOS and Android.
Recent spear-phishing attacks, as evidenced by the AhnLab Security Emergency Response Center (ASEC) and Check Point, have used LNK files to trigger a multi-stage infection sequence that ultimately resulted in the spread of the RokRAT malware.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
RokRAT allows adversaries to harvest system metadata, take screenshots, execute arbitrary commands received from remote servers, enumerate directories, and extract files of interest.
Developments come as ASEC disclosed the ScarCruft attack utilizes a Windows executable masquerading as a Hangul document to drop malware that is configured to contact an external URL every 60 minutes.
“The URL listed in the task scheduler appears to be a normal homepage, but contains a web shell,” said ASEC.