After publishing our initial series of blogposts back in 2016, we have continued to track the ScarCruft threat actor. ScarCruft is a Korean-speaking and allegedly state-sponsored threat actor that usually targets organizations and companies with links to the Korean peninsula. The threat actor is highly skilled and, by all appearances, quite resourceful.
We recently discovered some interesting telemetry on this actor, and decided to dig deeper into ScarCruftâs recent activity. This shows that the actor is still very active and constantly trying to elaborate its attack tools. Based on our telemetry, we can reassemble ScarCruftâs binary infection procedure. It used a multi-stage binary infection to update each module effectively and evade detection. In addition, we analyzed the victims of this campaign and spotted an interesting overlap of this campaign with another APT actor known as DarkHotel.
The ScarCruft group uses common malware delivery techniques such as spear phishing and Strategic Web Compromises (SWC). As in Operation Daybreak, this actor performs sophisticated attacks using a zero-day exploit. However, sometimes using public exploit code is quicker and more effective for malware authors. We witnessed this actor extensively testing a known public exploit during its preparation for the next campaign.
In order to deploy an implant for the final payload, ScarCruft uses a multi-stage binary infection scheme. As a rule, the initial dropper is created by the infection procedure. One of the most notable functions of the initial dropper is to bypass Windows UAC (User Account Control) in order to execute the next payload with higher privileges. This malware uses the public privilege escalation exploit code CVE-2018-8120 or UACME which is normally used by legitimate red teams. Afterwards, the installer malware creates a downloader and a configuration file from its resource and executes it. The downloader malware uses the configuration file and connects to the C2 server to fetch the next payload. In order to evade network level detection, the downloader uses steganography. The downloaded payload is an image file, but it contains an appended malicious payload to be decrypted.
Multi-stage binary infection
The final payload created by the aforementioned process is a well known backdoor, also known as ROKRAT by Cisco Talos. This cloud service-based backdoor contains many features. One of its main functions is to steal information. Upon execution, this malware creates 10 random directory paths and uses them for a specially designated purpose. The malware creates 11 threads simultaneously: six threads are responsible for stealing information from the infected host, and five threads are for forwarding collected data to four cloud services (Box, Dropbox, Pcloud and Yandex). When uploading stolen data to a cloud service, it uses predefined directory path such as /english, /video or /scriptout.
Cloud-based backdoor
The same malware contains full-featured backdoor functionality. The commands are downloaded from the /script path of a cloud service provider and the respective execution results are uploaded to the /scriptout path. It supports the following commands, which are enough to fully control the infected host:
The ScarCruft group keeps expanding its exfiltration targets to steal further information from infected hosts and continues to create tools for additional data exfiltration. During our research, we confirmed that they have an interest in mobile devices.
We also discovered an interesting piece of rare malware created by this threat actor - a Bluetooth device harvester. This malware is responsible for stealing Bluetooth device information. It is fetched by a downloader, and collects information directly from the infected host. This malware uses Windows Bluetooth APIs to find information on connected Bluetooth devices and saves the following information.
The attackers appear to be increasing the scope of the information collected from victims.
Build path of Bluetooth information harvester
We have found several victims of this campaign, based on our telemetry - investment and trading companies in Vietnam and Russia. We believe they may have some links to North Korea, which may explain why ScarCruft decided to closely monitor them. ScarCruft also attacked a diplomatic agency in Hong Kong, and another diplomatic agency in North Korea. It appears ScarCruft is primarily targeting intelligence for political and diplomatic purposes.
Victimology of this campaign
We discovered one victim from Russia that also triggered a malware detection while staying in North Korea in the past. The fact that this victim visits North Korea makes its special and suggests that it may have valuable information about North Korean affairs. ScarCruft infected this victim on September 21, 2018. But before the ScarCruft infection, however, another APT group also targeted this victim with the host being infected with GreezeBackdoor on March 26, 2018.
GreezeBackdoor is a tool of the DarkHotel APT group, which we have previously written about. In addition, this victim was also attacked by the Konni malware on 03 April 2018. The Konni malware was disguised as a North Korean news item in a weaponized documents (the name of the document was âWhy North Korea slams South Koreaâs recent defense talks with U.S-Japan.zipâ)
Infection timeline
This is not the first time we have seen an overlap of ScarCruft and DarkHotel actors. Members from our team have already presented on the conflict of these two threat actors at security conferences. We have also shared more details with our threat intelligence customers in the past. They are both Korean-speaking threat actors and sometimes their victimology overlaps. But both group seem to have different TTPs (Tactics, Techniques and Procedures) and it leads us to believe that one group regularly lurks in the otherâs shadow.
The ScarCruft has shown itself to be a highly-skilled and active group. It has a keen interest in North Korean affairs, attacking those in the business sector who may have any connection to North Korea, as well as diplomatic agencies around the globe. Based on the ScarCruftâs recent activities, we strongly believe that this group is likely to continue to evolve. For more information please contact: [email protected]
ScarCruft tools
GreezaBackdoor of DarkHotel
Konni