ScarCruft

Threat Actor updated 13 days ago (2024-11-08T13:20:45.037Z)
Download STIX
Preview STIX
ScarCruft, also known as APT37, Inky Squid, RedEyes, Reaper, or Group123, is a North Korean state-sponsored threat actor known for targeting high-value individuals and organizations to further North Korea's geopolitical objectives. This group has shown its agility in adopting new malware delivery methods following Microsoft's disabling of macro-embedded Office documents. ScarCruft has been linked to the deployment of ROKRAT, a tool previously attributed to North Korean threat actors, and CloudMensis, which attempts to identify where System Integrity Protection (SIP) is disabled to load its own malicious database. Mandiant Threat Intelligence believes that APT37 aligns with the activities reported as ScarCruft and Group123. The group has targeted various entities including Russian missile manufacturing company NPO Mashinostroyeniya, which possesses sensitive information on missile technology currently in use and under development for the Russian military. In February 2024, ScarCruft was found deploying the Konni RAT backdoor, also known as UpDog, against Russia through the compromise of an installer for software used by the Russian Ministry of Foreign Affairs. The trojanized installer would trigger an infection sequence that eventually launches Konni RAT, which had been used by North Korean threat groups Kimsuky and ScarCruft for command execution and file transfers. Recent campaigns by ScarCruft have shown the group's commitment to innovating its arsenal and expanding its target list, according to a SentinelLabs report. The group primarily conducts intelligence collection in support of North Korean strategic interests. In one active campaign, ScarCruft repeatedly targeted the same individuals with the goal of delivering RokRAT, a custom backdoor developed by the adversaries that allows a range of surveillance types on targeted entities. Researchers at SentinelLabs retrieved malware they assess to be part of ScarCruft's planning and testing processes, indicating the group's ongoing development of its capabilities.
Description last updated: 2024-11-08T10:03:00.207Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
APT37 is a possible alias for ScarCruft. APT37, also known as RedAnt, RedEyes, ScarCruft, and Group123, is a threat actor suspected to be backed by North Korea. It has been active since at least 2012, primarily targeting South Korea across various industry verticals such as chemicals, electronics, manufacturing, aerospace, automotive, and
8
Reaper is a possible alias for ScarCruft. Reaper, also known as APT37, Inky Squid, RedEyes, or ScarCruft, is a threat actor group attributed to North Korea. It deploys ROKRAT, a malicious tool that has been used in cyber exploitation since the 1970s. This group is also tied to the NOKKI malware family, which originated from research surroun
6
Group123 is a possible alias for ScarCruft. Group123, also known as APT37, RedAnt, RedEyes, ScarCruft, Inky Squid, and Reaper, is a threat actor group associated with North Korea. This group has demonstrated a variety of technical capabilities in their intrusions, primarily targeting government entities. Mandiant Threat Intelligence and AhnLa
3
RedEyes is a possible alias for ScarCruft. RedEyes, also known as APT37, TA-RedAnt, Reaper, ScarCruft, Group123, InkSquid, BadRAT, and Ricochet Chollima, is a North Korea-linked threat actor known for its malicious cyber activities. It recently exploited an Internet Explorer zero-day vulnerability (CVE-2024-38178 with a CVSS score of 7.5) in
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Apt
Backdoor
Phishing
Exploit
Korean
Espionage
Vulnerability
Windows
Implant
Payload
State Sponso...
Rat
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The ROKRAT Malware is associated with ScarCruft. RokRAT is a form of malware that has been utilized in cyber-espionage campaigns primarily targeting South Korean entities. It is typically delivered via phishing emails containing ZIP file attachments, which contain LNK files disguised as Word documents. When the LNK file is activated, a PowerShell Unspecified
5
The Opencarrot Malware is associated with ScarCruft. OpenCarrot is a malicious software (malware) that targets Windows operating systems, enabling unauthorized access and control over infected machines. Identified by IBM XForce, it has been linked to the activities of the Lazarus Group, a North Korean cyber threat operation known for its sophisticatedUnspecified
2
The BLUELIGHT Malware is associated with ScarCruft. The BLUELIGHT malware, first observed in early 2021, was used as the final payload in a multistage attack. This attack involved a watering-hole assault on a South Korean online newspaper, an Internet Explorer exploit, and another ScarCruft backdoor. The attack process included multiple components liUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Kimsuky Threat Actor is associated with ScarCruft. Kimsuky, also known as Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, and APT43, is a North Korea-linked Advanced Persistent Threat (APT) group that has been active since it was first spotted by Kaspersky researchers in 2013. The group is notorious for its cyber espionage activitUnspecified
2
The Lazarus Group Threat Actor is associated with ScarCruft. The Lazarus Group, a notorious North Korean state-sponsored threat actor, is among the most prolific and dangerous cyber threat actors in operation. The group has been involved in several high-profile cyber-attacks, including Operation DreamJob in Spain, with the primary objective of funding North KUnspecified
2
The Bluenoroff Threat Actor is associated with ScarCruft. BlueNoroff, a threat actor group linked to North Korea, has been identified as the malicious entity behind several high-profile cyber-attacks. Since first making headlines with an attack on Sony Pictures in 2014, BlueNoroff and its parent group Lazarus have been involved in numerous notorious securiUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The vulnerability CVE-2018-4878 is associated with ScarCruft. Unspecified
2
Source Document References
Information about the ScarCruft Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
7 months ago
DARKReading
7 months ago
BankInfoSecurity
9 months ago
CERT-EU
9 months ago
Checkpoint
10 months ago
DARKReading
10 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago