North Korean Advanced Persistent Threat (APT) Actor Dubbed scar craft uses weaponized Microsoft Compiled HTML Help (CHM) files to download additional malware.
According to multiple reports from the AhnLab Security Emergency Response Center (ASEC), SEKOIA.IO, and Zscaler, this development demonstrates the group’s continued efforts to refine and restructure tactics to evade detection. I’m here.
Zscaler researchers Sudeep Singh and Naveen Selvan said in a new analysis released Tuesday:
ScarCruft, which is also tracked under the names APT37, Reaper, RedEyes, and Ricochet Chollima, has ramped up its activity since the beginning of the year, targeting various South Korean organizations for espionage purposes. At least he is known to have been active since 2012.
Last month, ASEC revealed a campaign using HWP files to deploy a backdoor dubbed M2RAT by exploiting security flaws in Korean word processing software.
However, new findings reveal that threat actors are also using other file formats such as CHM, HTA, LNK, XLL, and macro-based Microsoft Office documents in spear-phishing attacks against South Korean targets. became.
These infection chains often deploy updated versions of PowerShell-based implants known as Chinotto that can display decoy files and execute commands sent by servers to exfiltrate sensitive data. Helpful.
Chinotto’s new features include the ability to capture screenshots every 5 seconds and record keystrokes. Captured information is saved in a ZIP archive and sent to a remote server.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
Insight into ScarCruft’s various attack vectors comes from a GitHub repository maintained by the adversary hosting the malicious payload since October 2020.
“Threat actors maintained GitHub repositories and frequently staged malicious payloads for over two years without being detected or removed,” said Zscaler researchers. .
Aside from distributing malware, ScarCruft has also been observed serving credential phishing webpages targeting multiple email and cloud services such as Naver, iCloud, Kakao, Mail.ru, and 163.com.
However, it is not clear how victims access these pages, and they could be embedded within an iframe on an attacker-controlled website or sent as an HTML attachment in an email. I have.
SEKOIA.IO also found malware named AlyGo. This is a backdoor written in Go that uses the Ably real-time messaging framework to receive commands.
The use of CHM files to smuggle malware appears to have spread to other North Korea-affiliated groups. ASEC has uncovered a phishing campaign organized by Kimsuky distributing a backdoor that collects clipboard data and records keystrokes.
