ScarCruft's Evolving Arsenal: Researchers Reveal New Malware Distribution Techniques


ScarCruft, the North Korean APT group, is exploiting Microsoft Compiled HTML Help (CHM) files that are weaponized to download more malware.

Several reports from AhnLab Security Emergency Response Center (ASEC), SEKOIA.IO, and Zscaler confirm that the group is consistently improving its techniques to avoid detection. This demonstrates their dedication to refining and adapting their tactics.

According to a new analysis released on Tuesday, Zscaler researchers Sudeep Singh and Naveen Selvan reported that the group is continuously updating their tools, tactics, and procedures. They are also exploring new file formats and methods to overcome security vendors' defenses.

Since the beginning of the year, ScarCruft has been operating more frequently under multiple names including APT37, Reaper RedEyes, and Ricochet Chollima. Its main objective is to conduct espionage on various South Korean entities. ScarCruft has been active since 2012.

ASEC recently exposed a strategy which utilized HWP files to exploit a vulnerability in the Hangul word processing software. The aim was to install a M2RAT backdoor.

Recent discoveries have shown that the malicious individual is employing additional file formats including CHM, HTA, LNK, XLL, and macro-reliant Microsoft Office files in their targeted deception efforts directed towards South Korean objectives.

Frequently, these sequences of infections are utilized to exhibit a false document and introduce an enhanced edition of an implant utilized by PowerShell called Chinotto, which possesses the ability to execute commands received from a server and transfer confidential data.

Chinotto now has additional features such as taking screenshots every five seconds and recording keystrokes. The gathered data is stored in a compressed file and transmitted to a distant server.

The knowledge regarding ScarCruft's different ways of attacking has been obtained from a GitHub repository that has been managed by a group of attackers who store harmful code since October 2020.

Zscaler experts revealed that the malicious entity managed to keep a GitHub repository active for over two years, regularly uploading harmful content, all while remaining undetected and free from being removed.

In addition to spreading malicious software, ScarCruft has been detected setting up fake login pages in an attempt to steal login information from users of various email and cloud services, including Naver, iCloud, Kakao,, and

It is currently unknown how the victims are able to access these pages, which suggests that the pages may have been placed within iframes on websites owned by the attacker or sent to them as HTML attachments through email.

SEKOIA.IO has also uncovered a type of malicious software called AblyGo. It is a backdoor that is coded in Go and employs the Ably messaging framework to obtain instructions.

It seems that other groups associated with North Korea are starting to adopt the practice of using CHM files to sneak malware onto systems. ASEC recently discovered a phishing campaign arranged by Kimsuky that aimed to distribute a backdoor capable of collecting clipboard data and recording keystrokes.

Post a Comment

Previous Post Next Post