S2W Threat Intelligence Center releases an analysis report on the North Korea-backed threat group Scarcruft.

The S2W Threat Intelligence Center has published a detailed report analyzing Scarcruft, an Advanced Persistent Threat (APT) group backed by North Korea.

Scarcruft, identified in the recently released Threat Intelligence Report for the Financial Sector Part 4, is one of the 16 profiled APT groups linked to North Korea, China, and Russia. This high-level threat intelligence report offers insights into the malware employed by this group.

✅ Report Title:

Introduction to Scarcruft’s ROKRAT Malware Cluster

✅ Executive Summary:

- Scarcruft, also known as APT37, Red Eyes, Reaper, and Group123, has been active since 2016. Initially, their attacks focused on South Korea, targeting defectors, NGOs, media outlets, and government institutions.

- Recently, their operations have expanded to Japan, Vietnam, Russia, Nepal, and the Middle East.

- Among the malware clusters used by the Scarcruft group, the ROKRAT family is a type of RAT first mentioned by Cisco Talos in 2017. It has been distributed across various operating systems, including Windows, macOS, and Android environments.

• ROKRAT malware utilizes legitimate cloud services like pCloud and Yandex as Command-and-Control (C&C) servers to exfiltrate data and execute commands. It contains OAuth tokens within its code to facilitate communication with these cloud services.

• After authentication, the ROKRAT malware receives encrypted command codes from the cloud service, decrypts them, and executes them. It also uploads stolen information from the infected device to the cloud service.

📌 What are the four attack cases, infection chains used for distribution, and associated malware?

For ROKRAT malware, spear-phishing emails with malicious attachments are used for initial infiltration. Since July 2022, the infection chain for ROKRAT has been largely categorized into two main types of initial-stage malware: the first is DROKLINK, and the second is DROKDOC.

Case A: ROKRAT Distributed via DROKLINK

• The infection flow and functionalities of ROKRAT distributed through DROKLINK are detailed in the full report.
  

Case B: ROKRAT Distributed via DROKDOC

• DROKDOC malware executes malicious actions through macros embedded in document files. The infection chain and functionalities of ROKRAT spread via DROKDOC are also discussed in the report.

Case C: Clugin & Cumulus

• In mid-2017, Scarcruft employed watering hole attacks to distribute malicious apps. Later campaigns targeted human rights groups and journalists using the KakaoTalk messenger. Additionally, malware was spread via Facebook contacts and Google Play Store uploads, all identified as mobile versions of ROKRAT.

Case D: CloudMensis Targeting macOS

• ESET revealed CloudMensis malware in July 2022, designed to target macOS. It performs data exfiltration, screen captures, and command execution. This malware was identified as Scarcruft’s macOS version of ROKRAT.

✅ Recommended Threat Detection and Mitigation Actions:

- As the ROKRAT malware and its distribution methods continue to evolve, future activity is highly anticipated. It is recommended to study the infection chains, malware functionalities, and detailed attack techniques to proactively counter these threats.

🧑‍💻 Report Author: S2W TALON

👉 Contact us: https://s2w.inc/en/contact

*The full report is available upon request or with a subscription to the S2W platform.