ScarCruft

Threat Actor updated 4 months ago (2024-05-04T20:45:19.429Z)
Download STIX
Preview STIX
ScarCruft, also known as APT37, Inky Squid, RedEyes, Reaper, or Group123, is a North Korean threat actor group associated with malicious cyber activities. Their actions have been linked to the execution of targeted attacks against individual Android devices, as outlined in a VB2023 paper titled "Into the Cumulus: Scarcruft bolsters arsenal for targeting individual Android devices". The group has been observed deploying ROKRAT, a tool previously attributed to North Korean threat actors, and CloudMensis, a malware that attempts to identify where System Integrity Protection (SIP) is disabled to load its own malicious database. ScarCruft swiftly adapted its initial infection tactics following Microsoft's disabling of macro-embedded Office documents, demonstrating their ability to evolve their methods in response to changes in cybersecurity measures. ScarCruft, along with other DPRK-affiliated cyber groups like Lazarus, has targeted high-value entities such as Russian missile manufacturing company NPO Mashinostroyeniya, which possesses confidential intellectual property on sensitive missile technology. The group has also been implicated in attacks deploying the Konni RAT backdoor, also known as UpDog, against Russia through the compromise of software used by the Russian Ministry of Foreign Affairs. This trojanized installer, when opened, triggers an infection sequence that eventually launches the Konni RAT, a tool used by North Korean threat groups for command execution and file transfers. Recent campaigns by ScarCruft have shown a commitment to innovating their arsenal and expanding their target list, according to a report from SentinelLabs. The group's activities primarily support intelligence collection aligned with the efforts of the Ministry of State Security (MSS) and North Korean strategic interests. Notably, ScarCruft has repeatedly targeted the same individuals with the goal of delivering RokRAT, a custom backdoor developed by the adversaries that allows a range of surveillance types on targeted entities. The group shares operational characteristics with Kimsuky, another North Korean threat group, suggesting a level of coordination or shared resources between these entities.
Description last updated: 2024-05-04T16:39:20.143Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
APT37
8
APT37, also known as ScarCruft, Reaper, or Group123, is a threat actor suspected to be linked to North Korea. It primarily targets South Korea but has also extended its activities to Japan, Vietnam, and the Middle East, focusing on various industry verticals such as chemicals, electronics, manufactu
Reaper
6
Reaper, also known as APT37, Inky Squid, RedEyes, or ScarCruft, is a threat actor group attributed to North Korea. It deploys ROKRAT, a malicious tool that has been used in cyber exploitation since the 1970s. This group is also tied to the NOKKI malware family, which originated from research surroun
Group123
3
Group123, also known as Inky Squid or APT37, is a threat actor group suspected of executing malicious cyber activities. They are known for their technical capabilities and innovative intrusion techniques. Over the past 18 months, they have been associated with a series of attacks that utilize shellc
Redeyes
2
RedEyes, also known as APT37, StarCruft, Reaper, or BadRAT, is a threat actor group known for its malicious cyber activities. This group recently deployed a new malware named FadeStealer to extract information from targeted systems. They have also been observed using CloudMensis, a malware that seek
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Apt
Backdoor
Phishing
Exploit
Korean
Espionage
Vulnerability
Windows
Implant
Payload
State Sponso...
Rat
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
ROKRATUnspecified
5
RokRAT is a sophisticated malware that has been used by the cyber-espionage group ScarCruft, primarily to target South Korean media and research organizations. The malware is typically delivered via phishing emails with ZIP file attachments containing LNK files disguised as Word documents. However,
OpencarrotUnspecified
2
OpenCarrot is a malicious software (malware) that targets Windows operating systems, enabling unauthorized access and control over infected machines. Identified by IBM XForce, it has been linked to the activities of the Lazarus Group, a North Korean cyber threat operation known for its sophisticated
BLUELIGHTUnspecified
2
The BLUELIGHT malware, first observed in early 2021, was used as the final payload in a multistage attack. This attack involved a watering-hole assault on a South Korean online newspaper, an Internet Explorer exploit, and another ScarCruft backdoor. The attack process included multiple components li
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
KimsukyUnspecified
2
Kimsuky, a threat actor linked to North Korea, has been increasingly active in conducting cyber espionage and malicious attacks. This group, also known as Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, and APT43, was first identified by Kaspersky researchers in 2013. In recent de
Lazarus GroupUnspecified
2
The Lazarus Group, also known as APT38, is a notorious threat actor believed to be backed by the North Korean regime. This group has been associated with several high-profile cyber attacks and thefts, including the infamous $600 million Ronin sidechain exploit in 2022. Known for their sophisticated
BluenoroffUnspecified
2
BlueNoroff, a threat actor closely associated with the Lazarus hacking group, has been identified as a significant cybersecurity risk. Known for their financially motivated attacks, BlueNoroff targets banks, casinos, fintech companies, POST software and cryptocurrency businesses, and ATMs. They have
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
IDTypeVotesProfile Description
CVE-2018-4878Unspecified
2
None
Source Document References
Information about the ScarCruft Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
5 months ago
DPRK Exploits 2 MITRE Sub-Techniques: Phantom DLL Hijacking, TCC Abuse
DARKReading
5 months ago
DPRK Exploits 2 MITRE Sub-Techniques: Phantom DLL Hijacking, TCC Abuse
BankInfoSecurity
7 months ago
North Korean Group Seen Snooping on Russian Foreign Ministry
CERT-EU
7 months ago
Konni RAT deployed via backdoored Russian government tool installer
Checkpoint
8 months ago
29th January – Threat Intelligence Report - Check Point Research
DARKReading
8 months ago
North Korea's ScarCruft Attackers Gear Up to Target Cybersecurity Pros
CERT-EU
9 months ago
Konni Malware Alert: Uncovering The Russian-Language Threat
CERT-EU
10 months ago
Russian analysts point finger at China, North Korea over cyber activity
CERT-EU
a year ago
Understanding Advanced Persistent Threats
CERT-EU
a year ago
Trojanized VNC apps leveraged in defense-targeted Lazarus Group attacks
CERT-EU
a year ago
Lazarus Group Targeting Defense Experts with Fake Interviews via Trojanized VNC Apps
CERT-EU
a year ago
APT trends report Q3 2023
DARKReading
a year ago
North Korea's State-Sponsored APTs Organize & Align
CERT-EU
a year ago
Virus Bulletin :: Teasing the secrets from threat actors: malware configuration extractors
CERT-EU
a year ago
North Korean Hackers Exploit Zero-Day Bug to Target Cybersecurity Researchers
CERT-EU
a year ago
FBI: DPRK cyber crooks may try to cash out $40m in crypto
CERT-EU
a year ago
North Korean Attackers Penetrated Russian Rocket Designer's Systems
CERT-EU
a year ago
Elite North Korean Hackers Breach Russian Missile Developer
CERT-EU
a year ago
Russian Missile Manufacturer Breached By North Korean Hackers
CERT-EU
a year ago
The Week in Security: Cloudflare Tunnels abuse ramps up, U.K. voter data exposed