On January 22, 2024, SentinelOne shared a report concerning a phishing campaign observed last November and December, which targeted media organizations and high-profile experts of North Korea in South Korea.
The campaign - attributed to the DPRK-nexus APT37 ("ScarCruft") - presented an unusual phishing lure consistent with a report on Kimsuky, a separate DPRK state-sponsored cyber threat actor. The usage of such a specific lure may unveil APT37's intent to target individuals with a specific interest in cyber threat intelligence, potentially in order to uncover recent research.
The following infection chain has been reported:
The phishing emails contained various attachments, including benign ones - a tactic potentially consistent with an attempt to prevent the victim from focusing on a single attachment.
Often initiates with malicious LNK files delivered with the initial phishing email.
The LNK file is responsible for executing a PowerShell script which, in turn, connects to a command-and-control (C2) server from where the attacker retrieves information to configure and execute a shellcode.
The shellcode executes the RokRAT, which serves as the final payload. RokRAT is a fully-featured backdoor enabling complete surveillance over the victim.
The attack relies on NameCheap-registered domains linked to Lithuania’s Cherry Servers virtual private server (VPS) instances, a technique which is consistent with established TTPs for APT37 and with the usual configuration of RokRAT, which typically relies on cloud resources for C2.
Interestingly enough, the motives and objectives of the SentinelOne-reported campaign are consistent with a broad trend that has witnessed recent targeting of media and academic experts by Iran-nexus actors in an espionage campaign with apparent intent to grasp the public sentiment and the state of research.