North Korea's APT37 Launches New ScarCruft Campaign Using LNK File and RokRAT Malware
Cybersecurity researchers at Seqrite Labs have exposed a fresh wave of the ScarCruft campaign. This time, the North Korea-linked APT37 group is using a malicious LNK file and a decoy Word document to steal sensitive data. The operation, dubbed HanKook Phantom, is targeting South Korean government sectors and research institutions. The campaign begins with a phishing email containing a fake newsletter PDF and a disguised malicious LNK file. When the LNK file is clicked, it triggers a multi-stage infection, ultimately deploying the RokRAT malware. This malware allows attackers to capture screenshots, support remote execution, and communicate with command and control (C2) servers through cloud services like Dropbox, pCloud, and Yandex. The goal is clear: data theft, persistence, and espionage. APT37, also known as ScarCruft, InkySquid, or Ricochet Chollima, has been active since at least 2012. They have previously exploited zero-day vulnerabilities in Adobe Flash Player. Kaspersky first documented their operations in 2016, noting attacks mainly targeting South Korean organizations. Seqrite Labs' discovery of the second ScarCruft campaign highlights the ongoing threat posed by APT37. Their use of a malicious LNK file and decoy Word document demonstrates the group's adaptability and persistence. With a focus on South Korean government sectors and research institutions, the HanKook Phantom operation underscores the need for robust cybersecurity measures to protect sensitive data.
Read also:
- China's Automotive Landscape: Toyota's Innovative Strategy in Self-Driving Vehicles
- Strengthening Defense Against Combined Cyber Threats during the Age of Technological Autocracy
- Nissan Fortifies Supply Chain and Cybersecurity with KPMG, PwC Partnerships
- Enlarged Financial Plan of MGM Osaka Integrated Resort Surpasses $10 Billion Mark
