The North Korean hacking group ScarCruft, also known as APT37, has been linked to a sophisticated cyber campaign that uses fake Microsoft account alerts to distribute malware named NarwhalRAT. These spear-phishing attacks are designed to create panic among recipients by mimicking legitimate security notifications from Microsoft.
Deceptive Tactics and Delivery Methods
The Genians Security Center (GSC) reports that these phishing emails are crafted to mimic Microsoft security alerts, warning users of potential account breaches and prompting them to review an attached document. However, this attachment is a ZIP file containing a harmful LNK file, rather than the expected document.
By falsely claiming that the user’s Microsoft account experienced unusual activity, such as repeated one-time password requests, the attackers aim to incite a sense of urgency. The ultimate goal is to trick users into treating the email as a legitimate security warning, thus opening the malicious attachment.
Technical Execution of the Attack
Launching the LNK file initiates a complex infection sequence. This process involves downloading and executing NarwhalRAT, alongside retrieving necessary components such as a Python executable and a Windows security catalog (CAT) file. Notably, the malware achieves persistence by scheduling a task to run the CAT file, facilitating the payload’s execution in memory without leaving traces on the disk.
NarwhalRAT, once active, is capable of extensive data collection and control operations. Its features include keystroke logging, screenshot capturing, audio recording, and data extraction from USB devices. Moreover, it can follow commands from a command-and-control (C2) server and switch between different servers for communication.
Infrastructure and Implications
The name NarwhalRAT is a nod to its use of the “%APPDATA%naverwhale” directory, which mimics the Naver Whale browser for stealth. ScarCruft’s preference for NarwhalRAT over their usual RokRAT signifies a tactical shift in their operations.
From an infrastructure standpoint, the malware utilizes Korean domains like ‘daehoat[.]com’ and ‘novel21[.]co.kr’ for its primary C2 activities, incorporating pCloud’s cloud storage API as a secondary channel. This dual-channel strategy involves processing specific parameters within the pCloud system, indicating a sophisticated approach to evade detection.
Genians highlights that this campaign shares several traits with previous ScarCruft attacks, such as the use of spear-phishing with misleading attachments. The infection methodology remains consistent, using a remote server to deliver the necessary malware components and establish communication with C2 servers.
The continued development and deployment of NarwhalRAT underscore the evolving threat landscape posed by state-sponsored actors like ScarCruft. As these groups refine their tactics, organizations must remain vigilant and enhance their cybersecurity defenses to mitigate such sophisticated threats.
