SAS2019_ScarCruft.pdf (2 MB)

Kaspersky's ScarCruft presentation profiles the Korean-speaking actor also tracked as Reaper, Group123, and APT37, focusing on organizations and individuals tied to Korean Peninsula affairs. The slides describe spearphishing, malicious HWP documents, DDE and CVE-2017-11182 exploitation, strategic website compromise, UAC bypass, and payload delivery through compromised web servers and free hosting. ScarCruft's ROKRAT-style cloud backdoor uses services such as Box, Dropbox, Pcloud, and Yandex while supporting credential theft, directory listing, screenshots, audio recording, command execution, and cloud token updates. The victimology section includes diplomatic, investment, trading, and North Korea-focused targets in places such as Russia, Hong Kong, and Vietnam.