Into the Cumulus: Scarcruft bolsters arsenal for targeting individual Android devices
Contents
2023
LONDON
4 - 6 October, 2023 / London, United Kingdom
INTO THE CUMULUS: SCARCRUFT BOLSTERS
ARSENAL FOR TARGETING INDIVIDUAL ANDROID
DEVICES
Sebin Lee, Sojun Ryu, Hyeokju Gwon & Youngjae Shin
S2W, Republic of Korea
[email protected]
[email protected]
[email protected]
[email protected]
www.virusbulletin.com
INTO THE CUMULUS: SCARCRUFT BOLSTERS ARSENAL FOR TARGETING INDIVIDUAL... LEE ET AL.
ABSTRACT
Scarcruft Group (aka APT37), a North Korean APT group, is believed to have been active since 2016 and continues to
carry out attacks against institutions and political organizations around the world. In April 2017, a Cisco Talos team
disclosed the Scarcruft group’s proprietary tool, ROKRAT, a piece of malware that has been continuously modified and
used by the group to this day. Initially, only the Windows version of ROKRAT was used, but an Android version of the
malware was also later identified.
According to a report published by the Financial Security Institute, the Scarcruft group conducted an attack in mid-2017
that distributed mobile versions of ROKRAT to specific devices through a watering hole attack.
In following the Scarcruft …
LONDON
4 - 6 October, 2023 / London, United Kingdom
INTO THE CUMULUS: SCARCRUFT BOLSTERS
ARSENAL FOR TARGETING INDIVIDUAL ANDROID
DEVICES
Sebin Lee, Sojun Ryu, Hyeokju Gwon & Youngjae Shin
S2W, Republic of Korea
[email protected]
[email protected]
[email protected]
[email protected]
www.virusbulletin.com
INTO THE CUMULUS: SCARCRUFT BOLSTERS ARSENAL FOR TARGETING INDIVIDUAL... LEE ET AL.
ABSTRACT
Scarcruft Group (aka APT37), a North Korean APT group, is believed to have been active since 2016 and continues to
carry out attacks against institutions and political organizations around the world. In April 2017, a Cisco Talos team
disclosed the Scarcruft group’s proprietary tool, ROKRAT, a piece of malware that has been continuously modified and
used by the group to this day. Initially, only the Windows version of ROKRAT was used, but an Android version of the
malware was also later identified.
According to a report published by the Financial Security Institute, the Scarcruft group conducted an attack in mid-2017
that distributed mobile versions of ROKRAT to specific devices through a watering hole attack.
In following the Scarcruft …
IoC
0dadf1240fd097d15dee890d448cfab02d3ef8698bdc44e18f1b5495e500655f
1333675be92bb1011b6777a49b2df485133805df79ba24759bd66d5be82ce704
1439FC0112F1DC32C34F3ED04EF47E422AE40ECA556410AD2C9763AAF5BF44CC
175.45.178.3
1975ea1d437653a1bc85896525a10bc938674f1d8dd2434ce28db459e8289091
1ccfeebfd3c5732711bc8c242c6c0dc110a41768bb40efaf28fbc737e018b0ad
1efc95af7490493f4302bc755f0d8f401df77d9d6e8a58b5f222dc065e61b7ca
28d61253ba13a24b5dfe01a81606ef587676a012c42bbe5b99e2decf6c6b42d2
2e9cd231641de301d4bbcaa9914dcfc936e6180cc7df0501f0bdec17a94681eb
30b4668d400221df61c449aa6c3c73103aefabe88c9f367fce442929d8f2d3d1
437c4348a34067872f1ef2456e4dd9e1b9de000559cbe296a6c9977f3470edc1
478d4d7644d94214ee83d8219bdfbf2745b03774b79b8c81e49799046c0eba71
48A12AC12D881C81E9060C27B5656A28D6437CDF2F84588AE0C30B4B45BAE31D
5fb81fee599baa9ee58d3d11cfdbdc09d9d2a1c4cfbd67805baba5780e9ba949
748f0724c50bb4e494f8e92e495fa8ef6848a83fbdaf4ec606c8fb50c3ce8f51
76e20aa484a4867eadc2ab49cc3c391d065edae86b4447f211c0302006061c0e
840a1029e1923c47c5eaba4f2a2e3f7a6d3fef5609becc66dcb0fa3fd94f383e
89cec458a13fdbc7cebce1ea60325a1118c88d405082a35ac6034a8e98182b72
9190dfb4d9f5ec294c5b385b50e2791d546a737e78e92d077e2c7d0f35d37865
97d8aed87ec78d975aaff4a63415badf95635616686a7ad4a3257e02b6ca2400
9BA144AB275A9714BB5DBA2EA009D4DA8F56743AB7315B522D41D441564DE220
E15C0E621E1A9E850ACD5ABC40083272821372C8021A326DC44037DB8442FF2E
a5b975288b4fdc56b6cd85f6e0ab969bd7b4496538c2fc6ae0625b229ce04bdb
b08b46a36112919afc8bf533d3dc15208f0fc17a0ed9aed963a1c8e7d0e32153
c70860c9569245c243566e960f25d1f4fb4b8790f48ddbe8e73ac5cdd9e8d6fb
c8a0fb2c3e7c320f5bcd531a8777f63fd5107468b5cb4fd173a8f92d3dc49e2d
d64bf46c8bc3ea8ba58b5b7c530fc822f543e53f9c93767f0e38782126a3e214
e415b5caf27990f982a71ffccef937bc65674a3fb780cc73484387338bafdb02
e6a7615d29b287f14ee044cd4e8e786f26709636cffb5f455cf500336ab96810
e80b454d6fb6477568c7c1f2ce474aa6c560ecbd9e6f0dd8178f641f2fdb9a2b
e8eba9d664eb23557338b9179b8ddfc8e99f5c3e57093f3b5cf0104d1f48101f
f4c8b84d6aad1b6375cbdb2269d354da8d07f6f4f1680c4311a8cafc7968202e
fd8b46e3e1e0423d8d96178862867362d1125b3d7e2f8d84af4fa36b9713ff6f
fe7a8e5a5085c5043336be86a6a6301322b2b33b3dce7ac03251d65070dc7f7f
1333675be92bb1011b6777a49b2df485133805df79ba24759bd66d5be82ce704
1439FC0112F1DC32C34F3ED04EF47E422AE40ECA556410AD2C9763AAF5BF44CC
175.45.178.3
1975ea1d437653a1bc85896525a10bc938674f1d8dd2434ce28db459e8289091
1ccfeebfd3c5732711bc8c242c6c0dc110a41768bb40efaf28fbc737e018b0ad
1efc95af7490493f4302bc755f0d8f401df77d9d6e8a58b5f222dc065e61b7ca
28d61253ba13a24b5dfe01a81606ef587676a012c42bbe5b99e2decf6c6b42d2
2e9cd231641de301d4bbcaa9914dcfc936e6180cc7df0501f0bdec17a94681eb
30b4668d400221df61c449aa6c3c73103aefabe88c9f367fce442929d8f2d3d1
437c4348a34067872f1ef2456e4dd9e1b9de000559cbe296a6c9977f3470edc1
478d4d7644d94214ee83d8219bdfbf2745b03774b79b8c81e49799046c0eba71
48A12AC12D881C81E9060C27B5656A28D6437CDF2F84588AE0C30B4B45BAE31D
5fb81fee599baa9ee58d3d11cfdbdc09d9d2a1c4cfbd67805baba5780e9ba949
748f0724c50bb4e494f8e92e495fa8ef6848a83fbdaf4ec606c8fb50c3ce8f51
76e20aa484a4867eadc2ab49cc3c391d065edae86b4447f211c0302006061c0e
840a1029e1923c47c5eaba4f2a2e3f7a6d3fef5609becc66dcb0fa3fd94f383e
89cec458a13fdbc7cebce1ea60325a1118c88d405082a35ac6034a8e98182b72
9190dfb4d9f5ec294c5b385b50e2791d546a737e78e92d077e2c7d0f35d37865
97d8aed87ec78d975aaff4a63415badf95635616686a7ad4a3257e02b6ca2400
9BA144AB275A9714BB5DBA2EA009D4DA8F56743AB7315B522D41D441564DE220
E15C0E621E1A9E850ACD5ABC40083272821372C8021A326DC44037DB8442FF2E
a5b975288b4fdc56b6cd85f6e0ab969bd7b4496538c2fc6ae0625b229ce04bdb
b08b46a36112919afc8bf533d3dc15208f0fc17a0ed9aed963a1c8e7d0e32153
c70860c9569245c243566e960f25d1f4fb4b8790f48ddbe8e73ac5cdd9e8d6fb
c8a0fb2c3e7c320f5bcd531a8777f63fd5107468b5cb4fd173a8f92d3dc49e2d
d64bf46c8bc3ea8ba58b5b7c530fc822f543e53f9c93767f0e38782126a3e214
e415b5caf27990f982a71ffccef937bc65674a3fb780cc73484387338bafdb02
e6a7615d29b287f14ee044cd4e8e786f26709636cffb5f455cf500336ab96810
e80b454d6fb6477568c7c1f2ce474aa6c560ecbd9e6f0dd8178f641f2fdb9a2b
e8eba9d664eb23557338b9179b8ddfc8e99f5c3e57093f3b5cf0104d1f48101f
f4c8b84d6aad1b6375cbdb2269d354da8d07f6f4f1680c4311a8cafc7968202e
fd8b46e3e1e0423d8d96178862867362d1125b3d7e2f8d84af4fa36b9713ff6f
fe7a8e5a5085c5043336be86a6a6301322b2b33b3dce7ac03251d65070dc7f7f