The ScarCruft group is a nation-state sponsored APT actor known to mostly surveil government organisations related to the Korean Peninsula, North Korean defectors and local journalists. Recently, Kaspersky was approached by a local news service with a request for technical assistance during their cybersecurity investigations. As a result, Kaspersky researchers had an opportunity to perform a deeper investigation on a computer compromised by ScarCruft. Kaspersky experts worked closely with the local CERT to investigate the attacker's command-and-control infrastructure. During the analysis, Kaspersky uncovered an elaborate targeted campaign by this threat actor focused on users connected to North Korea.
As a result of the investigation, Kaspersky experts discovered a malicious Windows executable dubbed Chinotto. This malware is available in three versions: PowerShell, Windows executable and an Android app. All three versions shared a similar command and control scheme based on HTTP communication. This means that the malware operators can control the whole malware family through one set of command and control scripts.
When simultaneously infecting the computer and the victim's phone, the malware operator can overcome two-factor authentication in messengers or email by stealing SMS messages from the phone. After that, the operator can steal any information they are interested in and continue the attacks, for example, on the victim's acquaintances or business partners.
One of the characteristics of this malware is that it contains masses of garbage code meant to impede analysis. Particularly, the malware which fills the buffer with meaningless data and never uses it.
Furthermore, the investigated computer was infected with PowerShell malware, and Kaspersky researchers found evidence that the attacker had already stolen the victim's data and tracked their actions for months. Although Kaspersky experts cannot estimate exactly how much and what data was stolen, they know that the malware operator collected screenshots and exfiltrated them between July and August in 2021.
Initially, the attacker used the victim's stolen Facebook account to contact an acquaintance of the victim, who also runs a business related to North Korea. Following this, they used the connection to gather information about his activities and later attacked the target with a spear-phishing email containing a malicious Word document dubbed "North Korea's latest situation and our national security".
This document included a malicious macro and a payload for a multi-stage infection process. The first stage macro checks for the existence of a Kaspersky security solution on the victim's machine. If installed on the system, the macro enables trust access for Visual Basic Application (VBA). By doing so, Microsoft Office will trust all macros and run any code without showing a security warning or requiring the user's permission. In the case that no Kaspersky security software is installed, the macro directly proceeds to decrypt the next stage's payload. Later, after this initial infection, the attackers delivered the Chinotto malware and then could control and exfiltrate sensitive information from the victims.
During the analysis, Kaspersky experts also identified four other victims, all located in South Korea, and compromised web servers that had been in use since early 2021. According to the research, the target of the threat is individuals rather than specific companies or organisations.
"Many journalists, defectors, and human rights activists are targets of sophisticated cyberattacks. However, they generally lack the tools to defend against and respond to such surveillance attacks. This research demonstrates the importance of security experts sharing knowledge and investing in new types of security solutions that can combat such threats. Furthermore, our collaboration with the local CERT has given us a unique perspective on ScarCruft's infrastructure and its technical characteristics, which I hope will improve our security against their attacks," comments Seongsu Park, principal security researcher at Kaspersky's Global Research and Analysis Team (GReAT).
Read the full report on ScarCruft on Securelist.
To protect yourself from such threats, Kaspersky recommends:
To protect organisations, Kaspersky suggests the following: