The North Korean-backed advanced persistent threat (APT) group known as ScarCruft has significantly evolved its attack techniques.
In a departure from their established methods, the group is now using a sophisticated OLE-based dropper to distribute its signature malware, ROKRAT.
This new campaign highlights the group’s ability to abuse legitimate cloud services like pCloud and Yandex for Command and Control (C2) communication, making detection increasingly difficult for defenders.
Historically, ScarCruft has relied on a predictable attack chain dubbed “DROKLINK” or “DROKBAT.” This method typically involved LNK (shortcut) files that dropped BAT scripts and shellcode to eventually execute the payload. However, recent findings indicate a tactical shift.
The group is now embedding Droppers and Loaders directly within OLE (Object Linking and Embedding) objects inside Hangul Word Processor (HWP) documents.
This transition suggests that ScarCruft is moving away from file-based script execution toward execution methods that rely heavily on memory and legitimate program abuse to evade antivirus detection.
Three Distinct Infection Cases
Researchers have identified three specific variations of this new attack chain. While they function differently, they all share the ultimate goal of executing ROKRAT directly in the system’s memory.
- The DLL Side-Loader (mpr.dll): In the first observed case, the malware disguises itself using the filename mpr.dll. It is embedded as an OLE object within a malicious HWP document. Once triggered, it uses a technique called DLL side-loading to force a legitimate application to run the malicious code. The Loader performs safety checks on the environment before executing the shellcode.
- The Cloud Downloader (credui.dll): The second case involves a “Downloader” type malware. Instead of carrying the payload, it retrieves it from an external source. It connects to an attacker-controlled Dropbox link to download shellcode hidden via steganography. This variant likely abuses ShellRunas.exe for execution.
- The Memory Executor (version.dll): The third case is highly evasive. While the exact distribution path is less clear, evidence suggests it also originates from an HWP OLE object. This variant uses a 1-byte XOR key to restore its internal payload and immediately executes ROKRAT in memory, leaving very little forensic evidence on the disk.
The Return of ROKRAT
The payload for all these attacks remains ROKRAT, a remote access trojan (RAT) and info-stealer that ScarCruft has been using since 2017.
ROKRAT is dangerous because it allows attackers to steal files, log keystrokes, and capture screenshots.
Despite the new delivery methods, the underlying “fingerprints” of ScarCruft remain visible. All three cases utilize an API hashing algorithm based on ROR13 and a specific 0x29 XOR key for decrypting the payload.
Furthermore, the malware continues to use legitimate API tokens for Yandex and pCloud to disguise its stolen data traffic as normal cloud storage activity.
The primary vector for these attacks is the abuse of HWP documents. Security teams and users should exercise extreme caution when handling HWP files, especially those received via unsolicited emails.
Because OLE objects can trigger arbitrary code execution, organizations should configure security policies to detect or block abnormal OLE objects embedded within documents.
If a document asks for permission to run an external object or script, it should be treated as malicious until proven otherwise.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
