ScarCruft, a North Korean advanced persistent threat (APT) group, has been using weaponized Microsoft Compiled HTML Help (CHM) files to download additional malware, according to reports by AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler.
This new tactic is a part of ScarCruft’s continuous efforts to refine and retool its tactics to sidestep detection, as it constantly evolves its tools, techniques, and procedures, experimenting with new file formats and methods to bypass security vendors.
ScarCruft has exhibited an increased operational tempo since the start of the year, targeting various South Korean entities for espionage purposes, and it has been active since at least 2012.
ScarCruft has been observed using other file formats such as CHM, HTA, LNK, XLL, and macro-based Microsoft Office documents in its spear-phishing attacks against South Korean targets.
The infection chains often serve to display a decoy file and deploy an updated version of a PowerShell-based implant known as Chinotto, which is capable of executing commands sent by a server and exfiltrating sensitive data.
The new capabilities of Chinotto include capturing screenshots every five seconds and logging keystrokes, with the captured information saved in a ZIP archive and sent to a remote server.
ScarCruft was able to maintain a GitHub repository, frequently staging malicious payloads for more than two years without being detected or taken down. The insights about ScarCruft’s various attack vectors come from this repository maintained by the adversarial collective to host malicious payloads since October 2020.
ScarCruft has also been observed serving credential phishing webpages targeting multiple email and cloud services such as Naver, iCloud, Kakao, Mail.ru, and 163.com.
It is not clear how these pages are accessed by the victims, raising the possibility that they may have been embedded inside iframes on websites controlled by the attacker or sent as HTML attachments via email.
Another piece of malware named AblyGo has also been discovered by SEKOIA.IO. It is a backdoor written in Go that utilizes the Ably real-time messaging framework to receive commands.
The use of CHM files to smuggle malware appears to be catching on with other North Korea-affiliated groups as well, with ASEC uncovering a phishing campaign orchestrated by Kimsuky to distribute a backdoor responsible for harvesting clipboard data and recording keystrokes.
