The North Korean threat actor ScarCruft has incorporated ransomware into its arsenal, according to researchers at South Korean security firm S2W.
ScarCruft is known for conducting espionage operations, but North Korean state-sponsored groups often conduct financially motivated attacks to generate revenue for Pyongyang.
“The deployment of ransomware, traditionally uncommon in ScarCruft campaigns, represents a notable deviation from the group’s historical focus on espionage,” the researchers write. “This suggests a potential shift toward financially motivated operations, or an expansion of operational goals that now include disruptive or extortion-driven tactics.”
The researchers observed the threat actor deploying ransomware in a campaign targeting South Koreans last month. The attackers sent phishing emails disguised as postal-code updates regarding changes in street addresses. The emails contained malicious LNK files embedded in RAR archives, which were designed to deliver a variety of different malware strains.
“Upon execution, the LNK dropped an AutoIt loader, which then fetched and executed additional payloads including a stealer, ransomware, and backdoor from an external server,” S2W says. “Among the nine distinct malware samples identified in this campaign, the following are the most notable: NubSpy, LightPeek, TxPyLoader, FadeStealer, VCD Ransomware, and CHILLYCHINO, among others.”
The threat actor has also ported its malware to new programming languages in order to expand targeting and evade detection.
“Existing malware, as well as publicly available code, has been ported to alternative programming languages for reuse,” the researchers write.
“Similar to the group’s prior use of Go-based malware like AblyGo, this campaign features malware written in Rust, suggesting a pattern of using modern languages for enhanced versatility and detection evasion. These efforts indicate ScarCruft’s ongoing focus on detection evasion and tooling.”
AI-powered security awareness training can give your organization an essential layer of defense against phishing attacks. KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.
The Record has the story.
