Rewterz Threat Alert –ScarCruft APT Targets Security Experts for Gathering Strategic Intelligence – Active IOCs

Severity

High

Analysis Summary

A North Korea-linked cyber espionage group called ScarCruft has been discovered targeting security professionals and journalists who show interest in the country by offering fake intelligence on a rival threat actor from the same nation, finally infecting its would-be hunters with malware.

The threat group has been experimenting with new infection chains recently by using a technical threat research report as a decoy to target consumers of threat intelligence such as cybersecurity researchers. It seems that the North Korean APT continues to obtain strategic intelligence with the possible intention of acquiring insights into non-public defense strategies and cyber threat intelligence.

One of the notable lures that ScarCruft used was pretending to be a security researcher who offered intelligence on Kimsuky, who is another suspected North Korean threat actor on the radar of threat hunters. It is also believed that ScarCruft and Kimsuky share infrastructure and tools like command-and-control (C2) servers, which suggests that the two APT groups might be working together in this latest campaign to target cybersecurity professionals.

The latest report by the security firm gives out a warning that the defenders could end up as victims if they do not exercise caution when approached with seemingly useful information about either of the APT groups. Due to ScarCruft’s practice of using fake documents that are relevant to the targeted individuals, it is suspected that the campaigns will most likely target consumers of technical threat intelligence reports that include threat researchers, cyber policy organizations, and other cybersecurity experts.

The lure uses phishing emails pretending to be from legitimate groups like the “North Korea Research Institute”, which is a machine-translated name of the authentic Institute for North Korean Studies. The emails are made this way so they look legitimate enough so researchers and journalists feel encouraged to click on them. The malware that is delivered this way is most likely spyware to perform espionage on the researchers and collect strategic intelligence.

ScarCruft’s main goal is to gather strategic intelligence that it continues to fulfill by targeting high-profile security experts in North Korean affairs as well as news organizations that are focused on North Korea, enabling the threat actor to get knowledge and a better understanding of how the international community views the developments in North Korea. It is believed that the intelligence collected by ScarCruft is being conveyed to Pyongyang to play a part in the country’s decision-making, though it’s impossible to verify this claim due to the lack of conversations between North Korea and its foes.

Impact

• Cyber Espionage
• Exposure to Sensitive Information

Indicators of Compromise

Domain Name

• app.documentoffice.club
• careagency.online
• cra-receivenow.online
• depositurl.lat
• nav.offlinedocument.site

MD5

• eeadfcccb6d95dc04d81f68ae7865f8b
• 28d25a4021536394fd890c4b6d9b5551
• f264f6bfa09a6305865f08bde57b9fd8
• 54b3aa4b83e410f4bf28368d59a0711b
• d6080cc6bad2a70cf21f84147c58bca1
• e5a10df3734802a63d6f10a63ff0054c
• e26422ba7e1eed4481e9389806e798c3

SHA-256

• f4ac4d7bbd9998071b17ef30d3cb7e4126db06cdcc0c4b3548a01012a00fd1f5
• 44365e0bcd77f1721d061dc03dd3c1728ad36671ad294ec7b2cf088b1bbefd23
• 4dcad5842255051edd5c39212092569c906ad420ab1fc2cfa4a5cc9db9339f0c
• d1f81eaf48b878479065d9f04a252edca193bb0ffdd7734daad2103c17a637e9
• 28d8b150f499e0cd83f293c1f2f2bfc9248c94aa9115f24f94e825c384b5f526
• 8510b40c23826fb3ee9cbc0a7b58b5176338020e6524bf9938f1efaadcbf973c
• b6e1351f1767a2cacb3fc7515f0a67691bbd8b9274a26c2953ba898ba879ebea

SHA-1

• 2f78abc001534e28eb208a73245ce5389c40ddbe
• 39c97ca820f31e7903ccb190fee02035ffdb37b9
• 577c3a0ac66ff71d9541d983e37530500cb9f2a5
• b23a3738b6174f62e4696080f2d8a5f258799ce5
• e46907cfaf96d2fde8da8a0281e4e16958a968ed
• e9df1f28cfbc831b89a404816a0242ead5bb142c
• fbf4d8c7418b021305317a185b1b3534a2e25cc8

URL

• http://app.documentoffice.club/salt_view_doc_words?user=H11I75PFF0ZG53NDG00H64OE
• http://nav.offlinedocument.site/capture/parts/you?view=IV3D9YMNJW4EAZNOKX5FB0OP

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure that general security policies are employed including implementing strong passwords, correct configurations, and proper administration security policies.
• Enable two-factor authentication.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Deploy advanced threat detection solutions that can identify and analyze suspicious activities, patterns, and behaviors across your network and endpoints. Utilize intrusion detection systems (IDS), intrusion prevention systems (IPS), and next-generation firewalls to proactively monitor and block malicious activities.
• Implement network segmentation to compartmentalize sensitive systems and data.
• Strengthen email security protocols to identify and block phishing attempts. Train employees to recognize suspicious emails and attachments, and employ email filtering technologies to reduce the likelihood of successful spear-phishing attacks.
• Regularly update and patch all software, applications, and operating systems to minimize potential entry points for cyber attackers.
• Enforce MFA across your organization to add an extra layer of security to user accounts and critical systems.
• Deploy advanced endpoint security solutions that offer real-time threat detection and response. This includes antivirus software, endpoint detection and response (EDR) tools, and behavioral analysis to identify suspicious activities.
• Ensure that systems are securely configured and hardened following industry best practices. Disable unnecessary services, ports, and protocols to reduce the attack surface.
• Develop and regularly update an incident response plan that outlines the steps to be taken in the event of a cyber attack. This plan should include communication protocols, roles and responsibilities, and procedures for containing and mitigating the attack.
• Conduct regular security audits and penetration testing to identify vulnerabilities and weaknesses in your systems and infrastructure.
• Assess the security practices of third-party vendors and suppliers who have access to your network. Ensure they adhere to robust cybersecurity standards to prevent potential supply chain attacks.