ScarCruft is the North Korea-sponsored advanced persistent threat group and it is gearing up to target cybersecurity researchers and other members of the threat intelligence community in future attacks. The future attacks are likely a bid to steal nonpublic threat intel and improve its operational playbook.
The analysis by SentinelLabs shows ScarCruft targeting media organizations and think-tank personnel that focus on North Korean affairs throughout November and December. The attackers were impersonation-style attacks that researchers expect to continue into 2024. While analyzing the campaign, SentinelLabs discovered in-development malware and trial infection chains that suggest a different series of attacks. North Korean actors have targeted cybersecurity professionals in the past, however, this infection routine is innovative in that it uses technical threat research on the North Korean APT, Kimsuky, as a lure. The report was published in October by Genians, a South Korean cybersecurity company. Calling out a fellow APT is an innovative twist, that appears to be a new approach.
Based on the lure and other details in the malware testing activities, the expected target of the infection is cybersecurity professionals or businesses. The firm concluded one aim of the infection is likely to steal reports to learn whether researchers are onto ScarCruft’s latest tactics, techniques and procedures. Another goal could be accessing cybersecurity environments to use as a basis for convincing impersonation attacks.
Read More: North Korea’s ScarCruft Attackers Gear Up to Target Cybersecurity Pros