Mar 22, 2023Ravie Lakshmanan
The North Korean advanced persistent threat (APT) actor dubbed
ScarCruft is using weaponized Microsoft Compiled HTML Help
(CHM) files to download additional malware.
According to multiple reports from AhnLab Security
Emergency response Center[1]
(ASEC[2]), SEKOIA.IO[3], and Zscaler[4], the findings are
illustrative of the group’s continuous efforts to refine and retool
its tactics to sidestep detection.
“The group is constantly evolving its tools, techniques, and
procedures while experimenting with new file formats and methods to
bypass security vendors,” Zscaler researchers Sudeep Singh and
Naveen Selvan said in a new analysis published Tuesday.
ScarCruft, also tracked under the names APT37, Reaper, RedEyes,
and Ricochet Chollima, has exhibited an increased operational tempo
since the start of the year, targeting various South Korean
entities for espionage purposes. It is known to be active since at
least 2012.
Last month, ASEC disclosed[5]
a campaign that employed HWP files that take advantage of a
security flaw in the Hangul word processing software to deploy a
backdoor referred to as M2RAT[6].
But new findings reveal the threat actor is also using other
file formats such as CHM, HTA, LNK, XLL, and macro-based Microsoft
Office documents in its spear-phishing attacks against South Korean
targets.
These infection chains often serve to display a decoy file and
deploy an updated version of a PowerShell-based implant known as
Chinotto[7], which is capable of
executing commands sent by a server and exfiltrating sensitive
data.
Some of the new capabilities of Chinotto include capturing
screenshots every five seconds and logging keystrokes. The captured
information is saved in a ZIP archive and sent to a remote
server.
WEBINAR
Discover the Hidden Dangers of Third-Party SaaS Apps
Are you aware of the risks associated with third-party app
access to your company’s SaaS apps? Join our webinar to learn about
the types of permissions being granted and how to minimize
risk.
The insights about ScarCruft’s various attack vectors come from
a GitHub repository maintained by the adversarial collective to
host malicious payloads since October 2020.
“The threat actor was able to maintain a GitHub repository,
frequently staging malicious payloads for more than two years
without being detected or taken down,” Zscaler researchers
said.
Outside of malware distribution, ScarCruft has also been
observed serving credential phishing webpages targeting multiple
email and cloud services such as Naver, iCloud, Kakao, Mail.ru, and
163.com.
It’s however not clear how these pages are accessed by the
victims, raising the possibility that they may have been embedded
inside iframes on websites controlled by the attacker or sent as
HTML attachments via email.
Also discovered by SEKOIA.IO is a piece of malware named AblyGo,
a backdoor written in Go that utilizes the Ably[9]
real-time messaging framework to receive commands.
The use of CHM files to smuggle malware appears to be catching
on with other North Korea-affiliated groups as well, with ASEC
uncovering[10] a phishing campaign
orchestrated by Kimsuky[11] to distribute a
backdoor responsible for harvesting clipboard data and recording
keystrokes.
Found this article interesting? Follow us on Twitter [12] and LinkedIn[13] to read more exclusive
content we post.
References
- ^
AhnLab Security Emergency response
Center (asec.ahnlab.com) - ^
ASEC
(asec.ahnlab.com) - ^
SEKOIA.IO
(blog.sekoia.io) - ^
Zscaler
(www.zscaler.com) - ^
disclosed
(thehackernews.com) - ^
M2RAT
(asec.ahnlab.com) - ^
Chinotto
(thehackernews.com) - ^
RESERVE YOUR SEAT
(thn.news) - ^
Ably (ably.com) - ^
uncovering
(asec.ahnlab.com) - ^
Kimsuky
(thehackernews.com) - ^
Twitter
(twitter.com) - ^
LinkedIn
(www.linkedin.com)
Read more https://thehackernews.com/2023/03/scarcrufts-evolving-arsenal-researchers.html