A new report released today by SentinelLabs, the research arm of listed cybersecurity company SentinelOne Inc., provides new insights into a suspected North Korean advanced persistent threat group that is targeting media organizations and high-profile experts in North Korean affairs.

Dubbed ScarCruft but also known as InkySquid and APT37, the group was observed targeting individuals, including those linked to South Korea’s academic sector and a news organization over a span of two months. The researchers were able to retrieve malware the group uses in the planning and testing phases of its development cycle that will likely be used in future campaigns.

ScarCruft was found to be testing malware infection chains that use a technical threat research report on Kimsuky, another suspected North Korean threat group, as a decoy document. Kimsuky shares operational characteristics with ScarCruft, including infrastructure and command and control server configurations.

Given ScarCruft’s use of decoy documents relevant to targeted individuals, the researchers suspect that the planned campaigns by the group will likely target consumers of technical threat intelligence reports, such as threat researchers, cyber policy organizations and other cybersecurity professionals.

For its attack path, ScarCruft was found to use oversized Windows Shortcut (LNK) files that initiate multi-stage infection chains delivering RokRAT, a custom-written backdoor associated with a threat group of the same name. RokRAT is a backdoor equipped with capabilities that enable its operators to conduct effective surveillance on targeted entities. In an attempt to execute undetected, the infection chains involve multiple executable formats and evasion techniques.

The group’s targeting of high-profile experts in North Korean affairs and news organizations focused on North Korea is said to suggest that ScarCruft’s primary objective is gathering strategic intelligence. Doing so enables the adversary to gain a better understanding of how the international community perceives developments in North Korea, thereby contributing to North Korea’s decision-making processes. Its focus on consumers of technical threat intelligence reports suggests an intent to gain insights into nonpublic cyber threat intelligence and defense strategies.

“As we continue to track suspected North Korean threat actors and their pace of experimentation, we assess they have a growing interest in mimicking cybersecurity professionals and businesses, ultimately for use in the targeting of specific customers and contacts directly, or more broadly through brand impersonation,” the researchers conclude. 

Image: Pixabay