North Korean state-sponsored threat actor ScarCruft, also known as APT37, Ruby Sleet, Ricochet Chollima, InkySquid, and RedEyes, has targeted media outfits and individuals knowledgeable in North Korean affairs in a new attack campaign deploying the RokRAT backdoor, The Hacker News reports.
Attacks involved the delivery of emails purportedly from a member of a North Korea Research Institute that lured targets into opening a ZIP archive file, which included malicious Windows shortcut files for RokRAT backdoor deployment, a report from SentinelOne showed. Opening the news.lnk file enabled the execution of a shellcode that would eventually prompt RokRAT delivery. However, researchers noted that active use of such infection method has yet to be discovered.
"ScarCruft remains committed to acquiring strategic intelligence and possibly intends to gain insights into non-public cyber threat intelligence and defense strategies. This enables the adversary to gain a better understanding of how the international community perceives developments in North Korea, thereby contributing to North Korea's decision-making processes," said researchers.