North Korea’s ScarCruft, also known as APT37, InkySquid, Nickel Foxcroft, Reaper, RedEyes, and Ricochet Chollima, is a threat group that targets South Korean individuals and entities through spear-phishing attacks.
The group’s malware of choice, RokRAT, is capable of credential theft, data exfiltration, system information gathering, command and shellcode execution, and file and directory management. ScarCruft’s backdoor is actively developed and maintained, and the group uses cloud-based services to disguise its command-and-control (C2) communications.
ScarCruft also uses other bespoke malware like Chinotto, BLUELIGHT, GOLDBACKDOOR, Dolphin, and M2RAT, along with commodity malware Amadey, to confuse attribution. The group disguises its command-and-control communications as legitimate by using cloud services like Dropbox, Microsoft OneDrive, pCloud, and Yandex Cloud.
The findings come as Kaspersky disclosed a new Go-based malware developed by ScarCruft that utilizes the cloud messaging service Ably as a C2 mechanism for the first time and comes with extensive capabilities to steal sensitive information from victims.