Threat Actor Profile: ScarCruft / APT37

[Update] October 17, 2024: “ScarCruft Exploits CVE-2024-38178 to Deploy RokRAT Malware”

ScarCruft, also widely known as APT37 or Reaper APT, is an espionage group associated with North Korean state activities that target high-value individuals. The group has been active since 2012, and while its primary target is South Korea, ScarCruft extends its reach to other Asian nations linked to North Korea’s interests.

The group’s interests lie heavily in government, military bodies, and industries aligned with North Korea’s concerns.

Employing watering-hole attacks and sophisticated exploits, ScarCruft infiltrates systems to install backdoors and conduct reconnaissance. They innovate with malware development and experiment with infection chains, often employing decoy documents associated with other North Korean groups.

Utilizing zero-day exploits and spear-phishing tactics, which form the backbone of their sophisticated attack methodologies, ScarCruft orchestrates attacks across various countries, including Russia, Nepal, China, and more.

Constantly evolving, ScarCruft refines its methods, including the use of weaponized Microsoft Compiled HTML Help (CHM) files, exploring new file formats, and enhancing evasion techniques.

Their persistence and sophistication make ScarCruft a formidable threat to South Korea and North Korea-associated interests, leveraging advanced tactics to fulfill their espionage goals.

How Does ScarCruft / APT37 Attack?

ScarCruft employs diverse methods to deploy its backdoors, including spear-phishing and strategic web compromises. They exploit zero-day vulnerabilities for sophisticated attacks and have been noted for watering-hole attacks, compromising websites commonly visited by their targets to distribute their backdoors via malicious code.

A standout method is the use of Dolphin malware. Dolphin is a backdoor facilitating extensive spying capabilities like drive monitoring, file exfiltration, keylogging, screenshot capture, and browser credential theft.

Another malicious tool used by the APT group, BLUELIGHT, was previously deployed in a watering-hole attack on a South Korean online newspaper.

ScarCruft experiments with malware delivery routes, such as oversized LNK files for RokRAT distribution, and employs social engineering – deceiving targets via phishing to deliver malware.

What sets ScarCruft apart is its utilization of the self-decoding technique, an uncommon method among APT groups, to efficiently distribute malware. The self-decoding technique involves encoding a malicious payload within another file or code for evasion purposes. When the document is opened or the code is executed, the payload is dynamically decoded and executed. Additionally, the group employs unconventional channels for its operations, leveraging social networking sites and cloud platforms for Command and Control (C2) communication.

The tactics of ScarCruft evolve continuously as the group keeps finding novel methods to bypass security measures and enhance their operational effectiveness.

Key Takeaways from the Tactics Used by the Threat Actor:

• Spear Phishing: ScarCruft initiates intrusions through spear phishing emails, employing social engineering to entice users into opening malicious attachments to deliver backdoors.
• Compromised Websites: The group employs compromised websites to retrieve second-stage malware, indicating a multi-stage attack strategy.
• Social Networking and Cloud Platforms: ScarCruft leverages social networking sites and cloud platforms for Command and Control (C2) communication, utilizing unconventional channels for their operations.
• Self-Decoding Technique: ScarCruft stands out for using the self-decoding technique, a less common method among APT groups, to distribute malware efficiently.

Malware Used by ScarCruft / APT37

ScarCruft (APT37) uses a variety of customized tools to extract sensitive data from compromised systems, including Chinotto, RokRat, BLUELIGHT, GOLDBACKDOOR, and Dolphin. These tools facilitate remote access, data theft, and command execution while evading detection.

ScarCruft employs a diverse range of malware in its operations, such as Microsoft Compiled HTML Help (CHM) files, to install additional malware on target systems. The group is also known to have developed malware targeting mobile devices, using Windows Bluetooth APIs to collect data from connected devices. Another malicious tool used by the group while targeting mobile – alongside desktop – devices is the Chinotto spyware.

Notably, ScarCruft has been associated with a previously unknown malware family called NOKKI, and furthermore, in early 2023, researchers linked ScarCruft to a malware strain named M2RAT, a Remote Access Trojan (RAT) adept at bypassing antivirus and intrusion detection systems.

Vulnerabilities Exploited by ScarCruft / APT37

ScarCruft (APT37) has exploited various vulnerabilities in its cyber espionage campaigns. One notable instance involved ScarCruft leveraging a zero-day vulnerability in the JScript 9 scripting language (CVE-2022-41128), enabling the group to infect South Korean targets with malware.

Additionally, ScarCruft utilized steganography techniques to distribute malware by exploiting a vulnerability in HWP EPS (Encapsulated PostScript) files. Furthermore, the group employed Flash Player exploits, like CVE-2016-4117, to deliver malware through watering hole attacks.

ScarCruft also targeted vulnerabilities in Microsoft Office applications, such as Word, using them to distribute malware via compromised documents.

What Are the Countries/Industries Targeted by ScarCruft / APT37?

Target Countries:

ScarCruft’s victims have been observed in several countries, including:

• Russia
• Nepal
• South Korea
• China
• India
• Kuwait
• Romania

These countries have reported ScarCruft-related activities and targeted attacks. It is worth noting that ScarCruft primarily targets South Korea, but it has also targeted other Asian countries and organizations with North Korean interests.

Target Sectors:

ScarCruft primarily targets sectors and industries that are aligned with North Korea’s interests.

The group’s target industries include government and military organizations, with the goal of gathering intelligence from these bodies, while it directs attacks against various industries in diverse sectors based on North Korea’s interests.

ScarCruft is also known to have targeted individuals associated with North Korea – like academics, novelists, and activists; the group also monitors North Korean defectors and journalists.

Campaigns Related to ScarCruft / APT37

APT37 (ScarCruft) has been linked to several campaigns and activities. Here are some notable campaigns associated with APT37:

APT37 Campaigns in 2016 – 2018

• Operation Daybreak
• Operation Erebus
• Golden Time
• Evil New Year
• Are you Happy?
• FreeMilk
• North Korean Human Rights
• Evil New Year 2018

NPO Mash Breach (2021)

In a 2021 campaign, ScarCruft breached Russia’s leading missile manufacturer, NPO Mashinostroyeniya (NPO Mash). The attack was not solely attributed to ScarCruft, another known North Korean nation-state threat group, Lazarus, was also involved.

It appeared that the breach commenced in late 2021 and continued until May of the following year – the attackers maintained access for several months before detection. ScarCruft breached the email server, while Lazarus implanted backdoors into NPO Mash’s systems.

And in May 2022, NPO Mash detected a suspicious file, later identified as an OpenCarrot backdoor linked to Lazarus, capable of reconnaissance and file manipulation. ScarCruft was also found compromising NPO Mash’s Linux email server during the incident.

NPO Mash’s appeal as a target lies in its possession of highly classified intellectual property associated with sensitive missile technology, and the attack was regarded as a strategic espionage mission to support North Korea’s missile program – the attack also stands as a recent example of the group’s high-value targeting.

ScarCruft Exploits CVE-2024-38178 to Deploy RokRAT Malware (2024)

North Korean threat actor ScarCruft has been linked to the exploitation of CVE-2024-38178, a now-patched vulnerability in Windows, to install the RokRAT malware.

RokRAT, known for its sophisticated remote access capabilities, can collect data from widely-used applications and evade detection by utilizing cloud services like Dropbox and Google Cloud for Command and Control (C2) operations.

The flaw, which affects the Scripting Engine in Internet Explorer mode of Edge, was patched by Microsoft in August 2024 Patch Tuesday Update. It allows remote code execution if a user clicks a specially crafted URL.

ScarCruft’s continued focus on exploiting browser vulnerabilities highlights their ongoing efforts to target systems in South Korea and beyond.

AhnLab researchers have named this campaign Operation Code on Toast, as ScarCruft exploited a “Toast” application vulnerability used in Korea. This campaign is notable for utilizing a compromised advertisement server to distribute malicious code.

Indicators of Compromise Related to RokRAT

MD5:

• e11bb2478930d0b5f6c473464f2a2b6e
• bd2d599ab51f9068d8c8eccadaca103d

SHA-256:

• 736092b71a9686fde43d3c4abd941a6774721b90b17d946c9d05af19c84df0a4
• 95a19bb2cc53c2ff2edff89161acb9c50ea450fa8a53bbddde2ca3007b1a1345

SHA-1:

• 9a17d9b44af34aca4e94242c54e001d761993763
• f0891b2fd83037f982acfaac17dcd77b091534db

Conclusion

Since its inception in 2012, ScarCruft has demonstrated a profound interest in targeting high-value individuals and institutions, primarily centered around South Korea but extending its reach to other Asian nations aligned with North Korea’s counterintelligence interests.

The group’s modus operandi involves targeting government, military bodies, various industries, as well as individuals associated with North Korean concerns, showcasing their broad spectrum of interests and objectives. Employing watering-hole attacks, zero-day exploits, and spear-phishing tactics, ScarCruft infiltrates systems to install backdoors and conduct reconnaissance.

The recent campaign involving ScarCruft’s breach of Russia’s leading missile manufacturer, NPO Mashinostroyeniya (NPO Mash), highlights the group’s evolving tactics and strategic focus. Collaborating with Lazarus, another North Korean nation-state threat group, ScarCruft orchestrated a sophisticated attack, maintaining access for several months before detection.

In essence, ScarCruft’s operations epitomize the evolving landscape of cyber espionage, posing significant challenges to the cybersecurity of government organizations and more worldwide. As ScarCruft continues to refine its tactics and expand its sphere of influence, vigilance, and collaboration among security communities remain critical in mitigating the threat posed by this sophisticated adversary and alikes.

Recommendations: Guarding Against ScarCruft

To protect against ScarCruft (APT37) and mitigate the risk of their cyber espionage activities, here are some recommendations:

• Keep software up to date: Regularly update operating systems, applications, and security patches to address known vulnerabilities. APT37 has been known to exploit zero-day vulnerabilities, so staying up to date is crucial.
• Implement strong security measures: Deploy robust security solutions, including firewalls, intrusion detection systems, and antivirus software. Regularly update and configure these tools to ensure they provide effective protection against known threats.
• Enable Multi-Factor Authentication (MFA): Implement MFA for critical accounts and systems to add an extra layer of security. This helps prevent unauthorized access even if passwords are compromised.
• Educate employees: Conduct regular security awareness training to educate employees about phishing attacks, social engineering techniques, and safe browsing habits. APT37 often uses spear-phishing emails as an initial attack vector.
• Monitor network traffic: Implement network monitoring tools to detect suspicious activities and anomalies. Monitor for any signs of unauthorized access, data exfiltration, or unusual network behavior.
• Implement strong access controls: Restrict user privileges and implement the principle of least privilege. Limit access to sensitive systems and data to only those who require it.
• Regularly back up data: Maintain regular backups of critical data and ensure they are stored securely. This helps mitigate the impact of potential data breaches or ransomware attacks.
• Establish an incident response plan: Develop an incident response plan that outlines the steps to be taken in the event of a security incident. This will help minimize the impact and facilitate a swift response.

These recommendations serve as general cybersecurity best practices and may not comprehensively counter all tactics employed by APT37; to directly address the threats they may face, organizations must remain vigilant and stay informed about the latest threat intelligence, and use advanced platforms like SOCRadar to monitor their attack surface.

You can elevate your organization’s security strategy with SOCRadar’s insights – The SOCRadar XTI platform, with its Cyber Threat Intelligence capabilities, can assist you stay ahead of emerging threats posed by threat actors like ScarCruft, ensuring your defenses are continuously fortified and updated against evolving risks.

MITRE ATT&CK TTPs of ScarCruft / APT37

Indicators of Compromise (IoCs) Related to ScarCruft / APT37

The Indicators of Compromise of ScarCruft (APT37), as listed by Zscaler, are as follows:

Archive File Hashes

CHM File Hashes:

LNK Files: