Skip to content

Researchers Reveal New Malware Distribution Techniques

Researchers Reveal New Malware Distribution Techniques

Mar 22, 2023 – Cyber Threat Intelligence: The North Korean advanced persistent threat (APT) actor dubbed ScarCruft is using weaponized Microsoft Compiled HTML Help (CHM) files to download additional malware, according to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler. ScarCruft is also known as APT37, Reaper, RedEyes, and Ricochet Chollima and is known to be active since at least 2012, targeting various South Korean entities for espionage purposes.

New findings reveal that the threat actor is also using other file formats such as HTA, LNK, XLL, and macro-based Microsoft Office documents in its spear-phishing attacks against South Korean targets. These infection chains often serve to display a decoy file and deploy an updated version of a PowerShell-based implant known as Chinotto, which is capable of executing commands sent by a server and exfiltrating sensitive data.

In addition to malware distribution, ScarCruft has also been observed serving credential phishing webpages targeting multiple email and cloud services such as Naver, iCloud, Kakao, Mail.ru, and 163.com. SEKOIA.IO has also discovered a piece of malware named AblyGo, a backdoor written in Go that utilizes the Ably real-time messaging framework to receive commands.

The insights about ScarCruft’s various attack vectors come from a GitHub repository maintained by the adversarial collective to host malicious payloads since October 2020. It is also noted that other North Korea-affiliated groups are using CHM files to smuggle malware, with ASEC uncovering a phishing campaign orchestrated by Kimsuky to distribute a backdoor responsible for harvesting clipboard data and recording keystrokes.

In conclusion, the ScarCruft advanced persistent threat (APT) actor is continuously evolving its tools, techniques, and procedures while experimenting with new file formats and methods to bypass security vendors. The threat actor is using weaponized Microsoft Compiled HTML Help (CHM) files to download additional malware and other file formats such as HTA, LNK, XLL, and macro-based Microsoft Office documents in its spear-phishing attacks against South Korean targets. The GitHub repository maintained by the adversarial collective to host malicious payloads has revealed various attack vectors used by ScarCruft, and other North Korea-affiliated groups are also using CHM files to smuggle malware.

Leave a Reply

Your email address will not be published. Required fields are marked *