Security News > 2021 > November > ScarCruft APT Mounts Desktop/Mobile Double-Pronged Spy Attacks

ScarCruft APT Mounts Desktop/Mobile Double-Pronged Spy Attacks
2021-11-29 19:08

The North Korea-linked ScarCruft advanced persistent threat group has developed a fresh, multiplatform malware family for attacking North Korean defectors, journalists and government organizations involved in Korean Peninsula affairs.

ScarCruft specifically controls the malware using a PHP script on a compromised web server, directing the binaries based on HTTP parameters.

"The actor leverages Windows executable versions and PowerShell versions to control Windows systems. We may presume that if a victim's host and mobile are infected at the same time, the malware operator is able to overcome two-factor authentication by stealing SMS messages from the mobile phone."

"Based on the build timestamp of the malware, we assess that the malware author used the PowerShell embedded version from mid-2019 to mid-2020 and started to use the malicious, PowerShell-less Windows executable from the end of 2020 onward."

"After the initial infection, the actor attempted to implant additional malware, but an error occurred that led to the crash of the malware. The malware operator later delivered the Chinotto malware in August 2021 and probably started to exfiltrate sensitive data from the victim."

As for attribution, Kaspersky researchers discovered several code overlaps with an older known ScarCruft malware named POORWEB as well as a document-stealer malware the APT is known to use.


News URL

https://threatpost.com/scarcruft-apt-desktop-mobile-attacks/176620/