ScarCruft Threat Actor Intelligence Profile

Tracking started: a year ago, last updated: Thu Apr 11 2024, uuid: 9fff458d-23ff-4b56-832a-8ab7e8d40b99

ScarCruft Description

Generated from Cybergeist context 6 days ago. This description is learned via the associations below
Scarcruft is a North Korean threat actor, also known as APT37, Inky Squid, RedEyes, Reaper, or Group123, with a history of conducting cyber-espionage operations. The group has been linked to the deployment of ROKRAT, a tool attributed to North Korean threat actors, and CloudMensis malware, which identifies where System Integrity Protection (SIP) is disabled to load its malicious database. Scarcruft has shown adaptability in response to changes in cybersecurity measures, such as Microsoft's disabling of macro-embedded Office documents, by swiftly altering its initial infection tactics. The group has targeted individuals and entities in South Korea, as well as other nations, and shares operational characteristics with Kimsuky, another North Korean threat group. Recent reports indicate that Scarcruft has been involved in attacks on Russian organizations. In collaboration with another DPRK-affiliated cyber group, Lazarus, Scarcruft targeted Russian missile manufacturing company NPO Mashinostroyeniya, which holds highly confidential intellectual property. Additionally, the group used the Konni RAT backdoor, also deployed by North Korean threat groups like Kimsuky and TA406, to compromise software used by the Russian Ministry of Foreign Affairs, enabling command execution and file transfers. Scarcruft's activities extend beyond these specific attacks, as the group continues to innovate its arsenal and expand its target list. Recent campaigns have seen the group targeting cybersecurity professionals and gathering strategic intelligence. Researchers believe that Scarcruft may be planning phishing or social engineering campaigns based on recent developments in the North Korean cyber-threat landscape. The ultimate goal appears to be stealing threat intelligence reports to refine their operational and evasive approaches, and potentially gaining access to cybersecurity environments to launch impersonation attacks.
ScarCruft STIX 2.1 Package Preview
STIX package updated 6 days ago
aliasaliasaliasaliasaliasrelated-torelated-torelated-torelated-toDARKReadingBankInfoSecurityCERT-EUCheckpointCybergeistBLUELIGHTopencarrotROKRATcve-2018-4878North Korean Group Seen Snooping on Russian Foreign MinistryDPRK Exploits 2 MITRE Sub-Techniques: Phantom DLL Hijacking, TCC Abuse29th January – Threat Intelligence Report - Check Point ResearchKonni RAT deployed via backdoored Russian government tool installerNorth Korea's ScarCruft Attackers Gear Up to Target Cybersecurity ProsScarCruftLazarusAPT37ReaperredeyesGroup123

ScarCruft Association List

The following associations have been automatically determined. Expand the row to see evidence. Votes are automatically added when the same assertion is recorded from different sourced, or updated by human users.
Associated Object
Votes/Source
Classification
Association Type
Malware
9
Threat Classunspecified
APT37
8
Threat Actoralias
Reaper
6
Threat Actoralias
Apt
6
Threat Classunspecified
ROKRAT
5
Malwareunspecified
Backdoor
4
Threat Classunspecified
Phishing
4
Tacticunspecified
Group123
3
Threat Actoralias
Espionage
3
Objectiveunspecified
Korean
3
Country / Regionunspecified
Relevance to PIRs (disabled)
Priority Intel Requirements
Information about why this intelligence profile is relevant to your requirements would be displayed here. Create an account to get started.
Context provided by 9 Sources
Securityaffairs
Checkpoint
Checkpoint Research
CERT-EU
Securelist
SecurityIntelligence.com
ESET
BankInfoSecurity
BankInfoSecurity is a multi-media website published by Information Security Media Group, Corp. (ISMG)
MITRE
MITRE began in 1958, sponsored by the U.S. Air Force to bridge across the academic research community and industry to architect the Semi-Automatic Ground Environment, or SAGE, a key component of Cold War-era air defense.
DARKReading
Comments (disabled)
Log in to view comments

Recent statements about ScarCruft

Recent statements allow a quick snapshot for understanding how this object is evolving. Click the row to see the full report context
Source
Statement Text
"We suspect ScarCruft has been planning phishing or social engineering campaigns on recent developments in the North Korean cyber-threat landscape, targeting audiences consuming threat intelligence reports." As far as the end goal, the firm concluded...(read more)
Accessing their victims’ inboxes with a third-party client via IMAP probably helps ScarCruft operators maintain access to the victims’ emails after stealing credentials, which may not be enough on their own, due to Google’s detection of suspicious lo...(read more)
ScarCruft is a state-sponsored outfit with links to North Korea's Ministry of State Security (MSS).
Cyber-espionage teams ScarCruft and Lazarus installed stealthy digital backdoors into NPO Mash’s systems.
The breach of the email server was linked to a threat actor known as ScarCruft, APT37, Inky Squid or Temp.Reaper, while the OpenCarrot backdoor was previously linked to the Lazarus Group hackers.
The North Korean threat actor known as ScarCruft has been observed using an information-stealing malware with previous undocumented wiretapping features as well as a backdoor developed using Golang that exploits the Ably real-time messaging service.
The North Korean threat actor known as ScarCruft has been observed using an information-stealing malware with previous undocumented wiretapping features as well as a backdoor developed using Golang that exploits the Ably real-time messaging service.
SentinelOne has seen evidence suggesting that two North Korean threat actors, ScarCruft https://www.securityweek.com/north-korean-hackers-caught-malware-with-microphone-wiretapping-capabilities/ and the notorious Lazarus https://www.securityweek.com/...(read more)
In 2021, ScarCruft conducted a watering-hole attack on a South Korean online newspaper focused on North Korea.
The breach of the Linux email server has been attributed to ScarCruft https://thehackernews.com/2023/07/starkmule-targets-koreans-with-us.html OpenCarrot, on the other hand, is a known implant previously identified https://exchange.xforce.ibmcloud.co...(read more)
Last month, APT37, the state-backed cybercrime group also known as ScarCruft and Reaper, exploited a data transfer and messaging application to inject info-stealing malware with wiretapping capabilities into the devices of targeted South Korea-based ...(read more)
2023-05-02 11:05 North Korea-linked ScarCruft APT group started using oversized LNK files to deliver the RokRAT malware starting in early July 2022.
After publishing our initial series of blogposts back in 2016, we have continued to track the ScarCruft threat actor.
160.202.79[.]226 is a QuickPacket VPS (US) hosting IP also being shared with the domain dallynk[.]com and others used by ScarCruft for malware delivery and C2 initiated through malicious documents.
Mandiant Threat Intelligence believes that APT37 is aligned with the activity publicly reported as Scarcruft and Group123.
In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10 https://exchange.xforce.ibmcloud.com/threat-group/guid:145ab7...(read more)
The ScarCruft has shown itself to be a highly-skilled and active group.
Liang identified Lazarus Group malware, which attempts to dump the access table from the TCC database, and CloudMensis by APT37 https://www.darkreading.com/threat-intelligence/mysterious-cloud-enabled-macos-spyware (aka InkSquid, RedEyes, BadRAT, Rea...(read more)
It is worth noting that this installer and the deployed loader are not exclusive to Dolphin, and were previously seen used with other ScarCruft malware.
The North Korean threat actor known as ScarCruft started experimenting with oversized LNK files as a delivery route for RokRAT malware as early as July 2022, the same month Microsoft began blocking macros https://thehackernews.com/2022/07/microsoft-r...(read more)
Documents discussing ScarCruft
Relevance score is determined via Machine Learning, to identify what documents could be most valuable to read
Logo
Created At
Title (Open original source)
a year ago
ScarCruft continues to evolve, introduces Bluetooth harvester
a year ago
Who’s swimming in South Korean waters? Meet ScarCruft’s Dolphin | WeLiveSecurity
a year ago
Operation Daybreak
3 months ago
North Korea's ScarCruft Attackers Gear Up to Target Cybersecurity Pros
a year ago
North Korea-linked ScarCruft APT uses large LNK files in infection chains
a year ago
North Korea's ScarCruft Deploys RokRAT Malware via LNK File Infection Chains
a year ago
North Korea-linked ScarCruft APT uses large LNK files in infection chains | IT Security News
8 months ago
Comrades in Arms? | North Korea Compromises Sanctioned Russian Missile Engineering Company
a year ago
ScarCruft updates its toolset – Week in security with Tony Anscombe | WeLiveSecurity
a year ago
安全事件周报 (02.13-02.19) - 360CERT
a year ago
Lazarus, Scarcruft North Korean APTs Shift Tactics, Thrive
8 months ago
Russian Missile Manufacturer Breached By North Korean Hackers
a year ago
APT trends report Q1 2023 - GIXtools
a year ago
APT trends report Q1 2023
10 months ago
ScarCruft Hackers Exploit Ably Service for Stealthy Wiretapping Attacks
10 months ago
ScarCruft Hackers Exploit Ably Service for Stealthy Wiretapping Attacks
a year ago
Северокорейские хакеры похищают данные через MP3-файлы
a year ago
Chain Reaction: ROKRAT’s Missing Link - Check Point Research
a year ago
North Korean APT InkySquid Infects Victims Using Browser Exploits
a year ago
APT Trends report Q1 2018
Associated Indicators (159)
Log in / sign up to view IoCs