ScarCruft | Attackers Gather Strategic Intelligence and Target Cybersecurity Professionals
Contents
Executive Summary
- SentinelLabs observed a campaign by ScarCruft, a suspected North Korean APT group, targeting media organizations and high-profile experts in North Korean affairs.
- We recovered malware in the planning and testing phases of Scarcruft’s development cycle, presumably intended for use in future campaigns.
- ScarCruft has been experimenting with new infection chains, including the use of a technical threat research report as a decoy, likely targeting consumers of threat intelligence like cybersecurity professionals.
- ScarCruft remains committed to acquiring strategic intelligence and possibly intends to gain insights into non-public cyber threat intelligence and defense strategies.
Overview
In collaboration with NK News, SentinelLabs has been tracking campaigns targeting experts in North Korean affairs from South Korea’s academic sector and a news organization focused on North Korea. We observed persistent targeting of the same individuals over a span of two months. Based on the specific malware, delivery methods, and infrastructure, we assess with high confidence …
- SentinelLabs observed a campaign by ScarCruft, a suspected North Korean APT group, targeting media organizations and high-profile experts in North Korean affairs.
- We recovered malware in the planning and testing phases of Scarcruft’s development cycle, presumably intended for use in future campaigns.
- ScarCruft has been experimenting with new infection chains, including the use of a technical threat research report as a decoy, likely targeting consumers of threat intelligence like cybersecurity professionals.
- ScarCruft remains committed to acquiring strategic intelligence and possibly intends to gain insights into non-public cyber threat intelligence and defense strategies.
Overview
In collaboration with NK News, SentinelLabs has been tracking campaigns targeting experts in North Korean affairs from South Korea’s academic sector and a news organization focused on North Korea. We observed persistent targeting of the same individuals over a span of two months. Based on the specific malware, delivery methods, and infrastructure, we assess with high confidence …
IoC
0ED884A3FC5C28CDB8562CD28993B30991681B0A
2F78ABC001534E28EB208A73245CE5389C40DDBE
2f78abc001534e28eb208a73245ce5389c40ddbe
39C97CA820F31E7903CCB190FEE02035FFDB37B9
39c97ca820f31e7903ccb190fee02035ffdb37b9
4024A9B0C0F19A33A3C557C7E220B812EE6FDD17
46C3F9DE79D85165E3749824804235ACA818BA09
483B84F973528B23E5C14BC95FBC7031A4B291F1
4C74E227190634A6125B2703B05CB16AD69AC051
577C3A0AC66FF71D9541D983E37530500CB9F2A5
577c3a0ac66ff71d9541d983e37530500cb9f2a5
7C4E37E0A733B5E8F0F723CCA2A9675901527DC4
84.32.129.32
84.32.131.104
84.32.131.30
84.32.131.50
84.32.131.59
84.32.131.66
84.32.131.87
88DB1E2EFBB888A97A530C8BEF8CA104CEAAB80C
8951F3EB2845C0060E2697B7F6B25ABE8ADE8737
9DD8AA1D66CC4E765E63DC5121216D95E62A0E1C
9E0C6A067AAB113E6A4B68299AB3B9D4C36FC330
9EAAAB9D4F65E3738BB31CDF71462E614FFBD2BA
B23A3738B6174F62E4696080F2D8A5F258799CE5
B91B318A9FBB153409A846BF173E9D1BD0CC4DBF
C4B58CA12F7B16B6D39CE4222A5A2E054CD77B4E
D457D6BDCFA6D31934FB1E277FA0DE7119E9C2A5
D9AC0CC6D7BDC24F52878D3D5AC07696940062D0
E46907CFAF96D2FDE8DA8A0281E4E16958A968ED
E9DF1F28CFBC831B89A404816A0242EAD5BB142C
FBF4D8C7418B021305317A185B1B3534A2E25CC8
[email protected]
[email protected]
e46907cfaf96d2fde8da8a0281e4e16958a968ed
e9df1f28cfbc831b89a404816a0242ead5bb142c
http://84.32.129.32|
http://84.32.131.104
http://84.32.131.30
http://84.32.131.50
http://84.32.131.59
http://84.32.131.66
http://84.32.131.87
http://app.documentoffice.club
http://benefitinfo.live
http://benefitinfo.pro
http://benefiturl.pro
http://careagency.online
http://cra-receivenow.online
http://crareceive.site
http://dallynk.com
http://depositurl.co
http://depositurl.lat
http://direct.traderfree.online
http://documentoffice.club
http://forex.traderfree.online
http://groceryrebate.online
http://groceryrebate.site
http://gstcreceive.online
http://http://app.documentoffice.club/salt_view_doc_words?user=8B86CA616964A84Y7A75B950
http://http://app.documentoffice.club/salt_view_doc_words?user=H11I75PFF0ZG53NDG00H64OE
http://http://app.documentoffice.club/salt_view_doc_words?user=MZ9IUNQ7KX7GSLO5LY8HTMP6
http://http://app.documentoffice.club/voltage_group_intels?user=HE16AJHVFCZ48HFTGD059IGU
http://http://nav.offlinedocument.site/capture/parts/you?view=5JV0FAGA6KW1GBHB7LX2HCIC
http://http://nav.offlinedocument.site/capture/parts/you?view=GV6BQLRKHW7CRMSLIX8DSNTM
http://http://nav.offlinedocument.site/capture/parts/you?view=IV3D9YMNJW4EAZNOKX5FB0OP
http://instantreceive.org
http://myprofile.zip
http://nav.offlinedocument.site
http://offlinedocument.site
http://one.bandi.tokyo
http://receive.bio
http://receiveinstant.online
http://rentsubsidy.help
http://rentsubsidy.online
http://tinyurlinstant.co
http://urldepost.co
http://verifyca.online
http://visiononline.store
[email protected]
2F78ABC001534E28EB208A73245CE5389C40DDBE
2f78abc001534e28eb208a73245ce5389c40ddbe
39C97CA820F31E7903CCB190FEE02035FFDB37B9
39c97ca820f31e7903ccb190fee02035ffdb37b9
4024A9B0C0F19A33A3C557C7E220B812EE6FDD17
46C3F9DE79D85165E3749824804235ACA818BA09
483B84F973528B23E5C14BC95FBC7031A4B291F1
4C74E227190634A6125B2703B05CB16AD69AC051
577C3A0AC66FF71D9541D983E37530500CB9F2A5
577c3a0ac66ff71d9541d983e37530500cb9f2a5
7C4E37E0A733B5E8F0F723CCA2A9675901527DC4
84.32.129.32
84.32.131.104
84.32.131.30
84.32.131.50
84.32.131.59
84.32.131.66
84.32.131.87
88DB1E2EFBB888A97A530C8BEF8CA104CEAAB80C
8951F3EB2845C0060E2697B7F6B25ABE8ADE8737
9DD8AA1D66CC4E765E63DC5121216D95E62A0E1C
9E0C6A067AAB113E6A4B68299AB3B9D4C36FC330
9EAAAB9D4F65E3738BB31CDF71462E614FFBD2BA
B23A3738B6174F62E4696080F2D8A5F258799CE5
B91B318A9FBB153409A846BF173E9D1BD0CC4DBF
C4B58CA12F7B16B6D39CE4222A5A2E054CD77B4E
D457D6BDCFA6D31934FB1E277FA0DE7119E9C2A5
D9AC0CC6D7BDC24F52878D3D5AC07696940062D0
E46907CFAF96D2FDE8DA8A0281E4E16958A968ED
E9DF1F28CFBC831B89A404816A0242EAD5BB142C
FBF4D8C7418B021305317A185B1B3534A2E25CC8
[email protected]
[email protected]
e46907cfaf96d2fde8da8a0281e4e16958a968ed
e9df1f28cfbc831b89a404816a0242ead5bb142c
http://84.32.129.32|
http://84.32.131.104
http://84.32.131.30
http://84.32.131.50
http://84.32.131.59
http://84.32.131.66
http://84.32.131.87
http://app.documentoffice.club
http://benefitinfo.live
http://benefitinfo.pro
http://benefiturl.pro
http://careagency.online
http://cra-receivenow.online
http://crareceive.site
http://dallynk.com
http://depositurl.co
http://depositurl.lat
http://direct.traderfree.online
http://documentoffice.club
http://forex.traderfree.online
http://groceryrebate.online
http://groceryrebate.site
http://gstcreceive.online
http://http://app.documentoffice.club/salt_view_doc_words?user=8B86CA616964A84Y7A75B950
http://http://app.documentoffice.club/salt_view_doc_words?user=H11I75PFF0ZG53NDG00H64OE
http://http://app.documentoffice.club/salt_view_doc_words?user=MZ9IUNQ7KX7GSLO5LY8HTMP6
http://http://app.documentoffice.club/voltage_group_intels?user=HE16AJHVFCZ48HFTGD059IGU
http://http://nav.offlinedocument.site/capture/parts/you?view=5JV0FAGA6KW1GBHB7LX2HCIC
http://http://nav.offlinedocument.site/capture/parts/you?view=GV6BQLRKHW7CRMSLIX8DSNTM
http://http://nav.offlinedocument.site/capture/parts/you?view=IV3D9YMNJW4EAZNOKX5FB0OP
http://instantreceive.org
http://myprofile.zip
http://nav.offlinedocument.site
http://offlinedocument.site
http://one.bandi.tokyo
http://receive.bio
http://receiveinstant.online
http://rentsubsidy.help
http://rentsubsidy.online
http://tinyurlinstant.co
http://urldepost.co
http://verifyca.online
http://visiononline.store
[email protected]