ScarCruft | Attackers Gather Strategic Intelligence and Target Cybersecurity Professionals
2024-01-22 • Sentinel One •
SentinelLabs and NK News tracked ScarCruft activity against media organizations and high-profile experts on North Korean affairs, assessing the campaigns with high confidence based on malware, delivery methods, and infrastructure. The observed phishing email impersonated the Institute for North Korean Studies and delivered an archive containing benign HWP and PowerPoint files alongside malicious LNK files disguised as Hanword documents. The LNK chains deliver RokRAT, a ScarCruft backdoor used for surveillance, through oversized shortcut files and multiple executable stages. SentinelLabs also recovered testing-stage malware that used a Kimsuky technical report as a decoy, suggesting planned targeting of threat researchers, cyber policy organizations, and other consumers of threat intelligence.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | b23a3738b6174f62e4696080f2d8a5f… | 2024-01-22 | 2024-02-07 |
| HASH | 8951f3eb2845c0060e2697b7f6b25ab… | 2024-01-22 | 2024-01-22 |
| HASH | 0ed884a3fc5c28cdb8562cd28993b30… | 2024-01-22 | 2024-01-22 |
| HASH | e9df1f28cfbc831b89a404816a0242e… | 2024-01-22 | 2024-01-22 |
| HASH | 577c3a0ac66ff71d9541d983e375305… | 2024-01-22 | 2024-01-22 |
| HASH | 88db1e2efbb888a97a530c8bef8ca10… | 2024-01-22 | 2024-01-22 |
| HASH | d457d6bdcfa6d31934fb1e277fa0de7… | 2024-01-22 | 2024-01-22 |
| HASH | 9e0c6a067aab113e6a4b68299ab3b9d… | 2024-01-22 | 2024-01-22 |
| HASH | 9eaaab9d4f65e3738bb31cdf71462e6… | 2024-01-22 | 2024-01-22 |
| HASH | 483b84f973528b23e5c14bc95fbc703… | 2024-01-22 | 2024-01-22 |
| HASH | c4b58ca12f7b16b6d39ce4222a5a2e0… | 2024-01-22 | 2024-01-22 |
| HASH | 2f78abc001534e28eb208a73245ce53… | 2024-01-22 | 2024-01-22 |
| HASH | 7c4e37e0a733b5e8f0f723cca2a9675… | 2024-01-22 | 2024-01-22 |
| HASH | 46c3f9de79d85165e3749824804235a… | 2024-01-22 | 2024-01-22 |
| HASH | 9dd8aa1d66cc4e765e63dc5121216d9… | 2024-01-22 | 2024-01-22 |
| HASH | d9ac0cc6d7bdc24f52878d3d5ac0769… | 2024-01-22 | 2024-01-22 |
| HASH | e46907cfaf96d2fde8da8a0281e4e16… | 2024-01-22 | 2024-01-22 |
| HASH | b91b318a9fbb153409a846bf173e9d1… | 2024-01-22 | 2024-01-22 |
| HASH | 4c74e227190634a6125b2703b05cb16… | 2024-01-22 | 2024-01-22 |
| HASH | 4024a9b0c0f19a33a3c557c7e220b81… | 2024-01-22 | 2024-01-22 |
| HASH | fbf4d8c7418b021305317a185b1b353… | 2024-01-22 | 2024-01-22 |
| DOMAIN | instantreceive.org | 2024-01-22 | 2024-01-22 |
| DOMAIN | urldepost.co | 2024-01-22 | 2024-01-22 |
| DOMAIN | tinyurlinstant.co | 2024-01-22 | 2024-01-22 |
| DOMAIN | depositurl.co | 2024-01-22 | 2024-01-22 |
| IPv4 | 84.32.131.50 | 2024-01-22 | 2024-01-22 |
| IPv4 | 84.32.131.87 | 2024-01-22 | 2024-01-22 |
| IPv4 | 84.32.129.32 | 2024-01-22 | 2024-01-22 |
| IPv4 | 84.32.131.59 | 2024-01-22 | 2024-01-22 |
| IPv4 | 84.32.131.30 | 2024-01-22 | 2024-01-22 |
| IPv4 | 84.32.131.104 | 2024-01-22 | 2024-01-22 |
| IPv4 | 84.32.131.66 | 2024-01-22 | 2024-01-22 |
| HASH | 39c97ca820f31e7903ccb190fee0203… | 2024-01-04 | 2024-01-22 |