North Korea-linked ScarCruft APT Uses Large LNK Files in Infection Chains
Cyber Security Threat Summary:
Check Point researchers released new attack details attributed to North Korea’s ScarCruft APT (APT37, Reaper, Group123) group. Since 2022, the group has shifted tactics away from using malicious documents to deliver malware, and instead has been adopting oversized LNK files which are embedded with malicious payloads.
Specifically, the group continues to use a piece of malware called ROKRAT. “ROKRAT has not changed significantly over the years, but its deployment methods have evolved, now utilizing archives containing LNK files that initiate multi-stage infection chains. This is another representation of a major trend in the threat landscape, where APTs and cybercriminals alike attempt to overcome the blocking of macros from untrusted sources.” reads the report published by Check Point. “The first sample we will discuss below was first discovered in July 2022, the same month that Microsoft began enforcing this new rule.”
Security Officer Comments:
The ScarCruft APT group has been active since at least 2012, though it first made headlines in February of 2018, when the group was seen using a zero-day vulnerability in Adobe Flash Player to deliver malware to South Korean users.
The targeting in this recent campaign continues to be South Korean individuals working in foreign and domestic affairs, based on the identified lures. Using spearphishing emails, the nation-state group is focused on deploying ROKRAT on the victims machine. ROKRAT often takes advantage of a Microsoft Word alternative called Hangul Word Processor (HWP). It is believed to have been created directly by the ScarCruft group.
“Starting in April of 2022, ScarCruft was seen using the GOLDBACKDOOR to target South Korean journalists. In this campaign the group was using large LNK files running PowerShell. Specifically, the group was using a publicly available tool called EmbedExeLnk, which has now become the prominent method of delivering ROKRAT” (Security Affairs, 2023). The recent ROKRAT campaign borrows many techniques from the previous GOLDBACKDOOR one.
More recently, the group has been using multiple lures to deliver ZIP and ISO archives, another common technique seen in use after Microsoft blocked macro-enabled documents by default.
“At the beginning of November 2022, the experts noticed that a file called securityMail[.]zip was submitted to VirusTotal. The archive contained two LNKs with a size of just under 5 MB. The researchers noticed that the implementation of PowerShell commands within the two LNKs is unique and overlaps only with ROKRAT and GOLDBACKDOOR LNK infections. In this case, the infection chain led to the deployment of the commodity malware Amadey. Amadey was previously linked to Konni, which is another North Korea-linked actor that aligns with APT37” (Security Affairs, 2023).
The ROKRAT malware relies on cloud infrastructure for C2, including DropBox, pCloud, Yandex Cloud, and OneDrive. “These infection chains show that since 2022, this group has stopped heavily relying on malicious documents to deliver malware and instead begun to hide payloads inside oversized LNK files. This method can trigger an equally effective infection chain by a simple double click, one that is more reliable than n-day exploits or the Office macros which require additional clicks to launch.” concludes the report. “Although we found that ROKRAT has not changed a lot recently, we see that the loaders being used to deploy it have indeed changed, shifting to the LNK method.”
MITRE ATT&CK:
T1587.001 - Develop Capabilities: Malware
The group is known to develop custom malware, in this case GOLDBACKDOOR and ROKRAT.
T1027 - Obfuscated Files or Information
The group uses ZIP and ISO files, often password protected to bypass email security tools.
T1566.001 - Phishing: Spearphishing Attachment
Using various lures, the group is using email campaigns to target victims.
T1204.002 - User Execution: Malicious File
Users must extract the archive from emails and execute the DLL files.
T1059.001 - Command and Scripting Interpreter: PowerShell
Running the DLL file will cause PowerShell commands to execute on the machine.
T1102 - Web Service
The ROKRAT malware relies on cloud infrastructure for C2, including DropBox, pCloud, Yandex Cloud, and OneDrive.
T1567 - Exfiltration Over Web Service
Data is exfiltrated using DropBox, pCloud, Yandex Cloud, and OneDrive.
Suggested Corrections:
Phishing best practices should be followed to avoid ROKRAT infections.
(sensitive information is also used for double extortion)
Link:
https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/
https://securityaffairs.com/145622/apt/scarcruft-apt-new-infection-chains.html