ScarCruft’s New Tactics in Cyber Espionage
A North Korean-backed advanced persistent threat group, ScarCruft, is advancing its cyber espionage techniques in a recently discovered operation involving the distribution of the ROKRAT malware. This effort signifies a strategic departure from their previous methods, as they now employ Object Linking and Embedding (OLE) objects within Hangul Word Processor (HWP) documents for more sophisticated attacks.
Innovative Infection Techniques
ScarCruft’s shift in tactics is aimed at penetrating targeted systems with greater stealth. By executing the ROKRAT remote access trojan directly in memory, they aim to reduce detectable traces. The threat actors have also maintained their pattern of exploiting legitimate cloud services for command and control (C2) communications.
By integrating services like pCloud and Yandex, ScarCruft masks its malicious activities within regular network traffic, complicating detection and blocking for cybersecurity teams. This strategic usage of commercial cloud platforms allows the malware to consistently receive commands and payloads while evading network security measures.
Technical Analysis of ScarCruft’s Methods
In a recent analysis, S2W researchers identified shifts in ScarCruft’s delivery mechanisms, although the group’s technical signatures remain constant. The analysis showed distinct behaviors, including the use of ROR13-based API resolving and a specific 0x29 XOR key for decrypting payloads. These technical consistencies link the new OLE-based techniques to ScarCruft’s established toolset.
OLE-Based Injection and Evasion
The attack strategy focuses on embedding malicious Droppers and Loaders as OLE objects. When a compromised HWP document is accessed, these objects trigger the attack, often using DLL side-loading to disguise as legitimate processes and bypass security scans. For example, malicious files named mpr.dll or credui.dll are side-loaded into applications like ShellRunas.exe.
In some scenarios, the Dropper releases a payload from its resources, while in others, it serves as a downloader, obtaining shellcode hidden through steganography from Dropbox links. The Loader verifies the analysis environment before decrypting the payload with a 1-byte XOR key, ensuring ROKRAT operates surreptitiously in system memory.
Preventive Measures and Security Recommendations
To counter these threats, organizations must be vigilant with HWP documents received via phishing emails. As executing documents with harmful OLE objects can result in arbitrary code execution, security teams should avoid opening files from dubious sources. Enhancing threat detection capabilities to identify unusual OLE objects in HWP files is crucial.
Stay updated by following us on Google News, LinkedIn, and X. Set CSN as a preferred source on Google for immediate updates.
