ScarCruft, a prolific North Korean-backed advanced persistent threat (APT) group, has significantly refined its cyberespionage capabilities in a newly identified campaign distributing the ROKRAT malware.
This recent activity marks a strategic deviation from their traditional reliance on LNK-based attack chains, pivoting instead to a complex infection method utilizing Object Linking and Embedding (OLE) objects embedded within Hangul Word Processor (HWP) documents.
The primary objective of these evolved tactics is to stealthily infiltrate targeted systems and execute the ROKRAT remote access trojan directly in memory, minimizing traces.
The attackers have continued their established pattern of abusing legitimate cloud infrastructure to facilitate command and control (C2) communications.
By leveraging trusted services such as pCloud and Yandex, ScarCruft effectively camouflages their malicious traffic amidst standard network noise, making detection and blocking efforts significantly more challenging for network defenders.
This strategic reliance on commercial cloud platforms ensures that the malware can reliably retrieve payloads and receive instructions while bypassing network-based blocking mechanisms that might otherwise flag suspicious connections.
S2W analysts noted shifting delivery mechanisms. Though the specific delivery mechanisms have shifted, the underlying technical signatures remain consistent with historical ScarCruft operations.
The researchers confirmed that all analyzed cases exhibit distinct behaviors, such as the use of ROR13-based API resolving and a unique 0x29 XOR key for payload decryption.
These technical overlaps provide strong attribution evidence, definitively linking the new OLE-based vectors to the group’s established tools.
OLE-Based Injection and DLL Side-Loading
The infection mechanism centers on embedding malicious Droppers and Loaders as OLE objects.
Upon interaction with a compromised HWP document, these objects initiate the attack, frequently employing DLL side-loading to hide as legitimate system processes to evade security monitoring.
For instance, malicious files named mpr.dll or credui.dll are side-loaded into vulnerable applications like ShellRunas.exe.
In the first case, the Dropper releases a payload from its resource area, while in others, it acts as a downloader, retrieving shellcode that is hidden via steganography from Dropbox links.
The Loader then rigorously verifies the analysis environment before decrypting the internal payload using a 1-byte XOR key, ensuring ROKRAT executes stealthily within system memory.
To mitigate these risks, organizations must exercise extreme caution with HWP documents received via phishing emails.
Since executing documents containing malicious OLE objects can lead to arbitrary code execution, security teams should refrain from opening files from unclear sources and strengthen threat detection rules to identify abnormal OLE objects embedded in HWP files.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
