The North Korean advanced persistent threat (APT) actor dubbed ScarCruft is using weaponized Microsoft Compiled HTML Help (CHM) files to download additional malware.
According to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the findings are illustrative of the group’s continuous efforts to refine and retool its tactics to sidestep detection.
“The group is constantly evolving its tools, techniques, and procedures while experimenting with new file formats and methods to bypass security vendors,” Zscaler researchers Sudeep Singh and Naveen Selvan said in a new analysis published Tuesday.
ScarCruft, also tracked under the names APT37, Reaper, RedEyes, and Ricochet Chollima, has exhibited an increased operational tempo since the start of the year, targeting various South Korean entities for espionage purposes. It is known to be active since at least 2012.
Last month, ASEC disclosed a campaign that employed HWP files that take advantage of a security flaw in the Hangul word processing software to deploy a backdoor referred to as M2RAT.
But new findings reveal the threat actor is also using other file formats such as CHM, HTA, LNK, XLL, and macro-based Microsoft Office documents in its spear-phishing attacks against South Korean targets.
These infection chains often serve to display a decoy file and deploy an updated version of a PowerShell-based implant known as Chinotto, which is capable of executing commands sent by a server and exfiltrating sensitive data.
Some of the new capabilities of Chinotto include capturing screenshots every five seconds and logging keystrokes. The captured information is saved in a ZIP archive and sent to a remote server.
The insights about ScarCruft’s various attack vectors come from a GitHub repository maintained by the adversarial collective to host malicious payloads since October 2020.
“The threat actor was able to maintain a GitHub repository, frequently staging malicious payloads for more than two years without being detected or taken down,” Zscaler researchers said.
Outside of malware distribution, ScarCruft has also been observed serving credential phishing webpages targeting multiple email and cloud services such as Naver, iCloud, Kakao, Mail.ru, and 163.com.
It’s however not clear how these pages are accessed by the victims, raising the possibility that they may have been embedded inside iframes on websites controlled by the attacker or sent as HTML attachments via email.
Also discovered by SEKOIA.IO is a piece of malware named AblyGo, a backdoor written in Go that utilizes the Ably real-time messaging framework to receive commands.
The use of CHM files to smuggle malware appears to be catching on with other North Korea-affiliated groups as well, with ASEC uncovering a phishing campaign orchestrated by Kimsuky to distribute a backdoor responsible for harvesting clipboard data and recording keystrokes.