Cybersecurity researchers and threat analysts are high on the list of valuable targets for nation-state advanced persistent threat (APT) actors. Not only can information security personnel provide access to non-public intelligence regarding malware and mitigations, but they can also become attack vectors through which the security firms themselves could become victims.
The methods through which nation-state actors have attempted to lure security researchers into downloading malware or engaging in other forms of compromise are varied and over the past 18 months, the following campaigns have come to light:
- A government-backed North Korean entity employed several means to target security researchers working on vulnerability research and development at different companies and organizations, including creating fake X (formerly Twitter) profiles and blogs to establish credibility with researchers before seeking to collaborate on research.
- An unknown threat actor created phony GitHub accounts from non-existent and legitimate cybersecurity companies to lure information security professionals.
- A suspected North Korean group created fake LinkedIn accounts, posing as recruiters to lure cybersecurity professionals. The threat actors used social media sites like X to build rapport with their targets, sometimes carrying on months-long conversations in a bid to ultimately send them malicious files containing a zero-day exploit.
Now, SentinelLabs has issued a report about a new test campaign by ScarCruft, a suspected North Korean APT group, likely targeting consumers of threat intelligence such as cybersecurity professionals. In collaboration with North Korean media firm NK News, SentinelLabs observed a persistent information-gathering campaign targeting experts in North Korean affairs from South Korea’s academic sector and a news organization focused on North Korea.
“With this targeting, ScarCruft, in a way, continues to fulfill its primary objective of gathering strategic intelligence,” SentinelLabs Senior Threat Researcher Aleksandar Milenkoski, one of the report’s authors, tells CSO. “In my eyes, that enables the advisory to gain a better understanding of how the international community, especially the West, perceived development in North Korea. And ultimately, this helps aid their decision-making processes.”
Planning stage malware used public threat research report
SentinelLabs also retrieved malware that it believes is currently in the planning and testing phases of ScarCruft’s development cycle, which the threat actors will likely use in future campaigns. The malware includes a spectrum of shellcode variants that deliver RokRAT public tooling and two oversized LNK files, created by Windows automatically when users open files, named inteligence.lnk and news.lnk. RokRAT malware focuses on running additional payloads and data exfiltration. This malware uses as a decoy document a public technical threat research report on North Korean threat actor Kimsuky, a group that shares characteristics with ScarCruft. The Korean language report came from Genians, a South Korean cybersecurity company. “Given the report’s technical content, the LNK file names, and ScarCruft’s use of decoys relevant to the targeted individuals, we suspect ScarCruft has been planning phishing campaigns on recent developments in the North Korean cyber threat landscape, targeting audiences consuming threat intelligence reports,” SentinelLabs’ report concludes.
“DPRK threat actors have targeted infosec professionals in the past as well, predominantly through social engineering attacks,” Milenkoski says. “But we definitely observed, for the first time, the use of threat research reports as decoys.