ScarCruft, an advanced persistent threat (APT) actor based in North Korea, has been observed using weaponized Microsoft Compiled HTML Help (CHM) files to download additional malware. AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler have all reported on the group’s efforts to refine and retool its tactics to avoid detection.
According to Zscaler researchers Sudeep Singh and Naveen Selvan, ScarCruft, also known as APT37, Reaper, RedEyes, and Ricochet Chollima, has been especially active since the start of the year, targeting multiple South Korean entities for espionage. The group has been active since at least 2012 and continues to evolve its tools, techniques, and procedures, experimenting with new file formats and methods to avoid security vendors.
Latest ScarCruft APT Campaigns Reveal New Malware Distribution Tricks
ASEC recently revealed a campaign that uses malicious HWP files to take advantage of a security vulnerability in the Hangul word processing software and deploy a backdoor referred to as M2RAT. However, further research has revealed that the threat actor is also using other file types such as CHM, HTA, LNK, XLL, and macro-based Microsoft Office documents in its spear-phishing attacks against South Korean targets.
Chinotto, a PowerShell-based implant, is used in infection chains to display a decoy file and deploy an updated version. It has the capability to execute commands from a server and transfer sensitive data. Chinotto has also been enhanced to take screenshots every five seconds and log keystrokes, which are then archived in a ZIP file and sent to a remote server.
What Is Known about the Chinotto Malware?
Chinotto was uncovered by Kaspersky researchers in 2021. They identified the group’s use of “watering hole” attacks, spear-phishing emails, and smishing attacks to deploy the malware. Once installed, Chinotto can be used by the attackers to control the compromised devices, take screenshots, deploy additional payloads, extract data of interest, and upload it to attacker-controlled servers.
It is also noteworthy that ScarCruft has been observed deploying credential phishing webpages that target various email and cloud services, such as Naver, iCloud, Kakao, Mail.ru, and 163.com, in addition to engaging in malware distribution.
What Is an Advanced Persistent Threat (APT) Cyberattack?
Advanced persistent threats (APTs) are a type of cyberattack that use advanced methods to break into a system and stay there undetected for long periods of time. These targeted attacks are often conducted by highly experienced and well-funded groups, like state-sponsored hackers or organized crime syndicates. Unlike other types of cyberattacks, APTs are created with the intention of stealing data or disrupting operations without leaving any evidence, making them hard to identify and defend against.
APTs employ a combination of tactics and technology like malware, social engineering and zero-day exploits to infiltrate networks and systems. Generally, APTs have a specific objective like obtaining confidential info or intellectual property, but they may also be used for espionage, sabotage or even cyber warfare.