Sample fake163.com website, image sekoia |
The North Korean advanced persistent threat (APT) group, ScarCruft, is continuously refining its tactics to bypass security vendors. The group has been using weaponized Microsoft Compiled HTML Help (CHM) files to download additional malware onto targeted machines. The ScarCruft group has been active since at least 2012, and its main objective is cyber espionage targeting South Korean entities.
In its spear-phishing attacks against South Korean targets, ScarCruft uses various file formats, such as CHM, HTA, LNK, XLL, and macro-based Microsoft Office documents. These infection chains deploy an updated version of a PowerShell-based implant known as Chinotto, which is capable of executing commands sent by a server and exfiltrating sensitive data.
attack-chain using CHM file format to kick start the infection chain, image zscaler |
The group has exhibited an increased operational tempo since the start of the year, and some of the new capabilities of Chinotto include capturing screenshots every five seconds and logging keystrokes. ScarCruft has also been observed serving credential phishing webpages targeting multiple email and cloud services such as Naver, iCloud, Kakao, Mail.ru, and 163.com.
Researchers from Zscaler, AhnLab Security Emergency response Center (ASEC), and SEKOIA.IO have discovered the threat actor's GitHub repository maintained by the adversarial collective to host malicious payloads since October 2020. The repository has a large number of samples not present on OSINT sources such as VirusTotal. ScarCruft has also been seen using AblyGo, a backdoor written in Go that utilizes the Ably real-time messaging framework to receive commands.
The use of CHM files to smuggle malware appears to be catching on with other North Korea-affiliated groups as well, with ASEC uncovering a phishing campaign orchestrated by Kimsuky to distribute a backdoor responsible for harvesting clipboard data and recording keystrokes.
In conclusion, ScarCruft's use of weaponized CHM files to distribute malware highlights the group's continuous efforts to refine and retool its tactics to sidestep detection. South Korean entities need to be aware of these new attack vectors and deploy the necessary security measures to protect themselves.
0 Comments