Full Report
The North Korean state-sponsored hacking group known as ScarCruft (aka APT37) has been observed using spear-phishing messages impersonating Microsoft Account security notifications to deliver a new malware called NarwhalRAT. "The attack email contained a message impersonating an MS account security alert," the Genians Security Center (GSC) said. "It was designed to create concern over possible
Analysis Summary
# Threat Actor: ScarCruft (APT37)
## Attribution & Identity
ScarCruft is a North Korean state-sponsored cyber-espionage group. It is widely tracked by the security community under several aliases and is known for its alignment with the interests of the Democratic People's Republic of Korea (DPRK).
- **Aliases:** APT37, Reaper, Group123, Mealybug.
- **Known Associations:** Attributed to North Korean intelligence operations, frequently targeting South Korean entities and individuals involved in North Korean affairs.
## Activity Summary
Recent activity involves a sophisticated spear-phishing campaign designed to deliver a new Python-based malware named **NarwhalRAT**. The campaign leverages social engineering by impersonating Microsoft Account security notifications. These emails alert the user to "abnormal activity" regarding One-Time Passwords (OTP), creating a false sense of urgency to trick victims into opening a malicious attachment disguised as a security advisory.
## Tactics, Techniques & Procedures
- **Spear-Phishing (T1566.001):** Distribution of emails impersonating legitimate services (Microsoft) to lure victims into executing malicious files.
- **Masquerading (T1036):** The malware uses a hidden directory named `naverwhale` to impersonate the legitimate South Korean "Naver Whale" browser.
- **Malicious LNK Files (T1204.002):** Using ZIP archives containing LNK files to trigger the infection chain.
- **Multi-stage Loading:** Sequential execution of batch scripts to download Python executables and the final RAT payload.
- **Scheduled Tasks (T1053.005):** Establishing persistence by creating scheduled tasks to launch the malware.
- **Fileless Execution:** Running payloads in memory via Windows security catalog (CAT) files to minimize disk artifacts.
- **Dead Drop Resolver (T1102.001):** Utilizing pCloud storage APIs as a secondary command-and-control (C2) channel.
## Targeting
- **Sectors:** Government, Technology, and individuals related to North Korean affairs.
- **Geography:** Primarily South Korea (indicated by the use of South Korean web infrastructure and impersonation of Naver Whale).
- **Victims:** Users of Microsoft services and the Naver Whale browser; organizations/entities targeted in previous ticket confirmation and event invite lures.
## Tools & Infrastructure
- **Malware:**
- **NarwhalRAT:** A Python-based RAT capable of keylogging, high-resolution screenshots, audio recording, and data theft from USB/directories.
- **RokRAT:** Historically used by this actor but recently supplemented/replaced by NarwhalRAT in this campaign.
- **Infrastructure:**
- **Primary C2 Relays:**
- `daehoat[.]com`
- `novel21[.]co[.]kr`
- **Secondary C2/Exfiltration:**
- `pCloud` API (Cloud storage service).
- **Legitimate Binaries:** Downloads Python from the official `python[.]org` site to facilitate script execution.
## Implications
ScarCruft’s shift toward Python-based malware and the use of legitimate cloud services like pCloud for C2 (Dead Drop Resolving) demonstrates an evolving effort to bypass signature-based detection and traditional network monitoring. The impersonation of regional services (Naver) and global services (Microsoft) highlights a high level of social engineering maturity aimed at South Korean targets.
## Mitigations
- **Email Security:** Implement advanced phishing protection to identify and quarantine emails containing LNK files within ZIP archives.
- **Endpoint Monitoring:** Monitor for unusual Python.exe execution, especially those communicating with external cloud storage APIs (e.g., pCloud).
- **Behavioral Analysis:** Audit the creation of unexpected scheduled tasks and the creation of hidden directories within `%APPDATA%`.
- **User Training:** Educate employees on verifying the sender of security alerts and cautioning against "urgent" requests to download attachments for password changes.
- **Application Whitelisting:** Restrict the execution of scripting interpreters (Python, PowerShell, Batch) to authorized administrative accounts only.