Cybersecurity researchers and threat analysts are high on the list of valuable targets for nation-state advanced persistent threat (APT) actors. Not only can information security personnel provide access to non-public intelligence regarding malware and mitigations, but they can also become attack vectors through which the security firms themselves could become victims.
The methods through which nation-state actors have attempted to lure security researchers into downloading malware or engaging in other forms of compromise are varied and over the past 18 months, the following campaigns have come to light:
- A government-backed North Korean entity employed several means to target security researchers working on vulnerability research and development at different companies and organizations, including creating fake X (formerly Twitter) profiles and blogs to establish credibility with researchers before seeking to collaborate on research.
- An unknown threat actor created phony GitHub accounts from non-existent and legitimate cybersecurity companies to lure information security professionals.
- A suspected North Korean group created fake LinkedIn accounts, posing as recruiters to lure cybersecurity professionals. The threat actors used social media sites like X to build rapport with their targets, sometimes carrying on months-long conversations in a bid to ultimately send them malicious files containing a zero-day exploit.
Now, SentinelLabs has issued a report about a new test campaign by ScarCruft, a suspected North Korean APT group, likely targeting consumers of threat intelligence such as cybersecurity professionals. In collaboration with North Korean media firm NK News, SentinelLabs observed a persistent information-gathering campaign targeting experts in North Korean affairs from South Korea’s academic sector and a news organization focused on North Korea.
“With this targeting, ScarCruft, in a way, continues to fulfill its primary objective of gathering strategic intelligence,” SentinelLabs Senior Threat Researcher Aleksandar Milenkoski, one of the report’s authors, tells CSO. “In my eyes, that enables the advisory to gain a better understanding of how the international community, especially the West, perceived development in North Korea. And ultimately, this helps aid their decision-making processes.”
Planning stage malware used public threat research report
SentinelLabs also retrieved malware that it believes is currently in the planning and testing phases of ScarCruft’s development cycle, which the threat actors will likely use in future campaigns. The malware includes a spectrum of shellcode variants that deliver RokRAT public tooling and two oversized LNK files, created by Windows automatically when users open files, named inteligence.lnk and news.lnk. RokRAT malware focuses on running additional payloads and data exfiltration. This malware uses as a decoy document a public technical threat research report on North Korean threat actor Kimsuky, a group that shares characteristics with ScarCruft. The Korean language report came from Genians, a South Korean cybersecurity company. “Given the report’s technical content, the LNK file names, and ScarCruft’s use of decoys relevant to the targeted individuals, we suspect ScarCruft has been planning phishing campaigns on recent developments in the North Korean cyber threat landscape, targeting audiences consuming threat intelligence reports,” SentinelLabs’ report concludes.
“DPRK threat actors have targeted infosec professionals in the past as well, predominantly through social engineering attacks,” Milenkoski says. “But we definitely observed, for the first time, the use of threat research reports as decoys.
North Korea keeping track of the threat intel community
The goal of this attack chain would be to gather intelligence and keep track of the threat intelligence community. “I think the goal would be to gather non-public threat intelligence information and maybe even identify defense strategies that would be effective against the operations” while improving their tactics, techniques, and procedures, according to Milenkoski.
“Based on the file names that we observed and the nature of the report that they were using, we suspect that they were planning either a phishing or a social engineering campaign centered around recent developments in the North Korean cyber threat landscape,” Milenkoski says. “So having that in mind, there is a really wide range of cybersecurity professionals that they could target ranging from entry-level or junior cyber professionals up to very experienced ones.”
SentinelLabs observed several malicious files that used this specific report, indicating that ScarCruft was in the testing process. However, nothing in the infection chain would prohibit ScarCruft from using any vendor’s research report as a decoy, thus potentially expanding the pool of individuals interested in reading cybersecurity research reports. “They can use other threat intel reports as well. There is nothing that prohibits them from using other threat intel reports from a technical perspective, at least,” Milenkoski says.
That Genians’s report was written in Korean wouldn’t necessarily limit the potential reach of any active ScarCruft campaign to only Korean language readers. “We, as threat intelligence researchers, are regularly consuming threat intelligence reports in other languages as well. This is a common practice in our community.”
Cyber professionals need to be vigilant
ScarCruft will likely launch this test campaign for real at some point. “I think they’re very, very persistent, very adaptable,” Milenkoski says. “I suspect that they will continue at some point to implement this campaign for sure because the goals of the campaign are of strategic interest to them.” He speculates that any successful campaign ScarCruft does deploy using this infection chain would likely be very targeted, especially if they’re very deliberate and persistent.
While most cybersecurity professionals have become adept at spotting phishing campaigns, “I would definitely advise everyone in the cybersecurity industry to be very aware and vigilant about who they’re speaking to and what they’re discussing and where those exchanges lead,” Milenkoski says. “If at some point these exchanges require [them] to execute something on their system or to download and then execute, then it’s definitely a red flag. Unless that communication is with a very trusted person.”