North Korea’s ScarCruft Targets Academics With RokRAT Malware

A new report reveals North Korea-linked ScarCruft is using RokRAT malware to target academics in a phishing campaign. Read about the cyber-espionage threat and the group’s evolving tactics.

Cybersecurity researchers from Seqrite Labs have discovered a new and highly targeted attack campaign linked to North Korea. The hacking group, known as ScarCruft or APT37, is deploying a malicious tool called RokRAT to spy on South Korean academics, researchers, and former government officials.

This operation has been named HanKook Phantom– HanKook means Korea, while Phantom represents the stealthy and evasive nature of the attack.

The attacks begin with a fake email, a technique known as spear-phishing. This is a very focused kind of fraud where the attackers pretend to be a trustworthy source to trick a specific person. In this case, the emails were disguised as a newsletter from a research society.

When a victim opens the attached file, which looks like a harmless PDF document, a hidden piece of software (RokRAT) is secretly installed on their computer. A second version of the attack used a public statement from North Korea’s Kim Yo Jong as a decoy, with the document itself dated July 28, rejecting Seoul’s efforts at reconciliation.

Once on a computer, the malware can take screenshots, steal files, and collect other private information. The hackers then use common cloud services, like Dropbox and Google Cloud, to send the stolen data back to themselves.

This campaign is just one example of the persistent cyber threat from North Korea. While their primary focus is on South Korea, ScarCruft has also targeted several other countries, including the following:

• India
• Nepal
• China
• Japan
• Russia
• Kuwait
• Vietnam
• Romania

Past reports from Hackread.com highlight that ScarCruft constantly evolves its tactics. In December 2022, ESET researchers discovered the group using a sophisticated backdoor called Dolphin to spy on government and media organisations. This followed reports from August 2021 of the group using a different malware, Konni RAT, against Russian targets.

More recently, a South Korean firm, S2W, reported that ScarCruft is now using a new ransomware called VCD in addition to its traditional spying tools. This campaign, carried out by a subgroup called ChinopuNK, used emails with a fake postal code update to infect victims with a variety of malware, including LightPeek and NubSpy.