ScarCruft surveilling North Korean defectors and human rights activists
Contents
The ScarCruft group (also known as APT37 or Temp.Reaper) is a nation-state sponsored APT actor we first reported in 2016. ScarCruft is known to target North Korean defectors, journalists who cover North Korea-related news and government organizations related to the Korean Peninsula, between others. Recently, we were approached by a news organization with a request for technical assistance during their cybersecurity investigations. As a result, we had an opportunity to perform a deeper investigation on a host compromised by ScarCruft. The victim was infected by PowerShell malware and we discovered evidence that the actor had already stolen data from the victim and had been surveilling this victim for several months. The actor also attempted to send spear-phishing emails to the victims’ associates working in businesses related to North Korea by using stolen login credentials.
Based on the findings from the compromised machine, we discovered additional malware. The actor utilized three types …
Based on the findings from the compromised machine, we discovered additional malware. The actor utilized three types …
IoC
00df5bbac9ad059c441e8fef9fefc3c1
04ddb77e44ac13c78d6cb304d71e2b86
0dd115c565615651236fffaaf736e377
3490053ea54dfc0af2e419be96462b08
55afe67b0cd4a01f3a9a6621c26b1a49
56f3d2bcf67cf9f7b7d16ce8a5f8140a
5a7ef48fe0e8ae65733db64ddb7f2478
71b63d2c839c765f1f110dc898e79d67
72e5b8ea33aeb083631d1e8b302e76af
7d5283a844c5d17881e91a5909a5af3c
93bcbf59ac14e14c1c39a18d8ddf28ee
97b35c34d600088e2a281c3874035f59
b06c203db2bad2363caed1c0c11951ae
baa9b34f152076ecc4e01e35ecc2de18
c155f49f0a9042d6df68fb593968e110
c7c3b03108f2386022793ed29e621343
c9fb6f127ca18a3c2cf94e405df67f51
cba17c78b84d1e440722178a97886bb7
cff9d2f8dae891bd5549bde869fe8b7a
d8ad81bafd18658c52564bbdc89a7db2
e9e13dd4434e2a2392228712f73c98ef
f08d7f7593b1456a087eb9922507c743
f17502d3e12615b0fa8868472a4eabfb
http://doseoul.com/bbs/data/hnc/update.php
http://haeundaejugong.com/data/jugong/do.php
http://haeundaejugong.com/editor/chinotto/do.php
http://hz11.cn/jquery-ui-1.10.4/tests/unit/widget/doc/pu.php
http://kjdnc.gp114.net/data/log/do.php
http://kumdo.org/admin/cont/do.php
http://luminix.kr/bbs/data/proc/proc.php
http://luminix.openhaja.com/bbs/data/proc1/proc.php
http://redacted.cafe24.com/bbs/probook/1.html
http://redacted.cafe24.com/bbs/probook/do.php??type=command&direction=receive&id=
http://redacted.cafe24.com/bbs/probook/do.php?type=hello&direction=send&id=[host
http://www.djsm.co.kr/js/20170805.hwp
https://1drv.ms/u/s!AjUrd9huMpQccLkxmxAWJcAMc
https://api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBalVyZDlodU1wUWNjTGt4bXhBV0pjQU1ja2M_ZT1mUnc4VHg/root/content
04ddb77e44ac13c78d6cb304d71e2b86
0dd115c565615651236fffaaf736e377
3490053ea54dfc0af2e419be96462b08
55afe67b0cd4a01f3a9a6621c26b1a49
56f3d2bcf67cf9f7b7d16ce8a5f8140a
5a7ef48fe0e8ae65733db64ddb7f2478
71b63d2c839c765f1f110dc898e79d67
72e5b8ea33aeb083631d1e8b302e76af
7d5283a844c5d17881e91a5909a5af3c
93bcbf59ac14e14c1c39a18d8ddf28ee
97b35c34d600088e2a281c3874035f59
b06c203db2bad2363caed1c0c11951ae
baa9b34f152076ecc4e01e35ecc2de18
c155f49f0a9042d6df68fb593968e110
c7c3b03108f2386022793ed29e621343
c9fb6f127ca18a3c2cf94e405df67f51
cba17c78b84d1e440722178a97886bb7
cff9d2f8dae891bd5549bde869fe8b7a
d8ad81bafd18658c52564bbdc89a7db2
e9e13dd4434e2a2392228712f73c98ef
f08d7f7593b1456a087eb9922507c743
f17502d3e12615b0fa8868472a4eabfb
http://doseoul.com/bbs/data/hnc/update.php
http://haeundaejugong.com/data/jugong/do.php
http://haeundaejugong.com/editor/chinotto/do.php
http://hz11.cn/jquery-ui-1.10.4/tests/unit/widget/doc/pu.php
http://kjdnc.gp114.net/data/log/do.php
http://kumdo.org/admin/cont/do.php
http://luminix.kr/bbs/data/proc/proc.php
http://luminix.openhaja.com/bbs/data/proc1/proc.php
http://redacted.cafe24.com/bbs/probook/1.html
http://redacted.cafe24.com/bbs/probook/do.php??type=command&direction=receive&id=
http://redacted.cafe24.com/bbs/probook/do.php?type=hello&direction=send&id=[host
http://www.djsm.co.kr/js/20170805.hwp
https://1drv.ms/u/s!AjUrd9huMpQccLkxmxAWJcAMc
https://api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBalVyZDlodU1wUWNjTGt4bXhBV0pjQU1ja2M_ZT1mUnc4VHg/root/content