ScarCruft

Threat Actor updated 5 months ago (2024-05-04T20:45:19.429Z)
Download STIX
Preview STIX
ScarCruft, also known as APT37, Inky Squid, RedEyes, Reaper, or Group123, is a North Korean threat actor group associated with malicious cyber activities. Their actions have been linked to the execution of targeted attacks against individual Android devices, as outlined in a VB2023 paper titled "Into the Cumulus: Scarcruft bolsters arsenal for targeting individual Android devices". The group has been observed deploying ROKRAT, a tool previously attributed to North Korean threat actors, and CloudMensis, a malware that attempts to identify where System Integrity Protection (SIP) is disabled to load its own malicious database. ScarCruft swiftly adapted its initial infection tactics following Microsoft's disabling of macro-embedded Office documents, demonstrating their ability to evolve their methods in response to changes in cybersecurity measures. ScarCruft, along with other DPRK-affiliated cyber groups like Lazarus, has targeted high-value entities such as Russian missile manufacturing company NPO Mashinostroyeniya, which possesses confidential intellectual property on sensitive missile technology. The group has also been implicated in attacks deploying the Konni RAT backdoor, also known as UpDog, against Russia through the compromise of software used by the Russian Ministry of Foreign Affairs. This trojanized installer, when opened, triggers an infection sequence that eventually launches the Konni RAT, a tool used by North Korean threat groups for command execution and file transfers. Recent campaigns by ScarCruft have shown a commitment to innovating their arsenal and expanding their target list, according to a report from SentinelLabs. The group's activities primarily support intelligence collection aligned with the efforts of the Ministry of State Security (MSS) and North Korean strategic interests. Notably, ScarCruft has repeatedly targeted the same individuals with the goal of delivering RokRAT, a custom backdoor developed by the adversaries that allows a range of surveillance types on targeted entities. The group shares operational characteristics with Kimsuky, another North Korean threat group, suggesting a level of coordination or shared resources between these entities.
Description last updated: 2024-05-04T16:39:20.143Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
APT37 is a possible alias for ScarCruft. APT37, also known as InkSquid, RedEyes, BadRAT, Reaper, ScarCruft, and Ricochet Chollima, is a threat actor suspected to be backed by North Korea. It primarily targets South Korea, but its activities have extended to Japan, Vietnam, the Middle East, and recently Cambodia, across various industry ver
8
Reaper is a possible alias for ScarCruft. Reaper, also known as APT37, Inky Squid, RedEyes, or ScarCruft, is a threat actor group attributed to North Korea. It deploys ROKRAT, a malicious tool that has been used in cyber exploitation since the 1970s. This group is also tied to the NOKKI malware family, which originated from research surroun
6
Group123 is a possible alias for ScarCruft. Group123, also known as Inky Squid or APT37, is a threat actor group suspected of executing malicious cyber activities. They are known for their technical capabilities and innovative intrusion techniques. Over the past 18 months, they have been associated with a series of attacks that utilize shellc
3
Redeyes is a possible alias for ScarCruft. RedEyes, also known as APT37, StarCruft, Reaper, InkSquid, BadRAT, ScarCruft, and Ricochet Chollima, is a threat actor group known for its malicious activities. The group has recently deployed a new malware called FadeStealer to pilfer data from compromised systems, which it then sends to a command-
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Apt
Backdoor
Phishing
Exploit
Korean
Espionage
Vulnerability
Windows
Implant
Payload
State Sponso...
Rat
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The ROKRAT Malware is associated with ScarCruft. RokRAT is a sophisticated malware that has been used by the cyber-espionage group ScarCruft, primarily to target South Korean media and research organizations. The malware is typically delivered via phishing emails with ZIP file attachments containing LNK files disguised as Word documents. However, Unspecified
5
The Opencarrot Malware is associated with ScarCruft. OpenCarrot is a malicious software (malware) that targets Windows operating systems, enabling unauthorized access and control over infected machines. Identified by IBM XForce, it has been linked to the activities of the Lazarus Group, a North Korean cyber threat operation known for its sophisticatedUnspecified
2
The BLUELIGHT Malware is associated with ScarCruft. The BLUELIGHT malware, first observed in early 2021, was used as the final payload in a multistage attack. This attack involved a watering-hole assault on a South Korean online newspaper, an Internet Explorer exploit, and another ScarCruft backdoor. The attack process included multiple components liUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Kimsuky Threat Actor is associated with ScarCruft. Kimsuky, also known as Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, and APT43, is a North Korea-linked Advanced Persistent Threat (APT) group first identified by Kaspersky researchers in 2013. The group has been involved in various cyber espionage activities against global targUnspecified
2
The Lazarus Group Threat Actor is associated with ScarCruft. The Lazarus Group, a notorious threat actor attributed to North Korea, has been implicated in a series of high-profile cyberattacks and illicit activities. The group is known for its sophisticated operations, including Operation DreamJob, which targeted Spain with a high level of confidence. Over thUnspecified
2
The Bluenoroff Threat Actor is associated with ScarCruft. BlueNoroff, a threat actor closely associated with the Lazarus hacking group, has been identified as a significant cybersecurity risk. Known for their financially motivated attacks, BlueNoroff targets banks, casinos, fintech companies, POST software and cryptocurrency businesses, and ATMs. They haveUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The vulnerability CVE-2018-4878 is associated with ScarCruft. Unspecified
2
Source Document References
Information about the ScarCruft Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
6 months ago
DARKReading
6 months ago
BankInfoSecurity
8 months ago
CERT-EU
8 months ago
Checkpoint
9 months ago
DARKReading
9 months ago
CERT-EU
10 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago