North Korean Hackers Attacking Cybersecurity Professionals


Hackers target cybersecurity professionals as successfully compromising their systems or gaining access to their credentials provides a gateway to valuable information and tools.

Besides this, gaining control over cybersecurity professionals’ systems could be a strategic move to disrupt or evade detection during significant attacks.

Cybersecurity researchers at SentinelOne discovered that North Korean hackers are actively targeting cybersecurity professionals to steal threat research reports.

Document

Free Webinar

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

North Korean Hackers Attacking Cybersecurity Professionals

SentinelLabs tracked “ScarCruft” targeting South Korean experts on North Korea. Persistent attacks on individuals lasted two months, and ScarCruft (aka APT37) is a tested malware that is linked to Kimsuky. 

Decoy documents mimic threat reports that target cyber experts. ScarCruft uses oversized LNK files for RokRAT delivery, a potent backdoor. 

Tactics that the threat actors use resemble earlier 2023 campaigns. Focus on experts aids in gathering strategic intel for North Korea. 

However, targeting cybersecurity professionals suggests interest in defense strategies.

On Dec 13, 2023, a phishing email from kirnchi122[@]hanmail.net, posing as a North Korea Research Institute member, targeted a North Korean affairs expert. 

The email appears current, and it references a fake event on the same date that claims to offer presentation materials in a December 13th announcement.zip archive.

Phishing email (Source – SentinelOne)

Of nine files, seven are harmless Hangul Word Processor (HWP) and PowerPoint docs, while two are harmful LNK files. 

The LNK files that are popular for malware exploit Microsoft’s default macro security. To blend in, all the files that are named after North Korean human rights start with a number. 

Here, by using the Hangul Word Processor icon, the LNK files masquerade as Hanword docs.

Infection chain (Source - SentinelOne)
Infection chain (Source – SentinelOne)

In December 2023, ScarCruft targeted individuals previously attacked on November 16, 2023, revealing the adversary’s persistence. 

The earlier campaign involved a news organization, with a phishing email from c039911[@]daum.net attaching two malicious HWP files impersonating North Korean market price analysis.

Documents with OLE objects in HWP format reveal C2 URLs upon activation. Metadata links accounts, like Daily NK’s, hinting at North Korean targeting strategies. Similarities to Kimsuky campaigns raise questions about the Daily NK-related malware. 

ScarCruft’s overlap with a Russian missile organization further underscores its tactics. Investigation of C2 URLs and user parameters is ongoing. The infrastructure details uncover Cherry Servers’ use and Namecheap domain registration tactics. 

The actor’s domain rotation aims to evade detection, as seen in instances like instantreceive[.]org mimicking GitHub. This pattern aligns with North Korea-associated threat actors.

For successful protection, targets must be more aware of and comprehend the attacks and infection strategies by the threat actors.



Source link