Recent Cyber Surveillance Attacks Target North Korean Defectors and Journalists
In a disturbing development, advanced persistent threats (APTs) linked to nation-state actors have launched a series of highly-targeted surveillance attacks against North Korean defectors, journalists covering North Korea, and associated organizations based in South Korea. Reports from Russian cybersecurity firm Kaspersky revealed that the hacker group known as ScarCruft—also identified as APT37, Reaper Group, InkySquid, and Ricochet Chollima—has been behind these infiltrations.
Kaspersky’s Global Research and Analysis Team (GReAT) noted that the attackers employed three different types of malware that, despite being designed for distinct platforms—including PowerShell, Windows executables, and Android apps—operated on a unified command and control framework utilizing HTTP communication. This allows the malware operators to manage their entire portfolio of malware using a single set of control scripts, enabling a streamlined and effective attack mechanism.
ScarCruft has been active since at least 2012, primarily targeting both the public and private sectors in South Korea to extract sensitive data from compromised systems. The group has previously been known to use a Windows-based backdoor termed RokRAT. The initial attack vector typically involves spear-phishing, where the actor dispatches emails carrying malicious documents aimed at specific victims. In one notable incident in August 2021, the group exploited vulnerabilities in the Internet Explorer browser, deploying a custom implant known as BLUELIGHT through a watering hole attack against a South Korean online news outlet.
In a case under investigation by Kaspersky, the attackers first used compromised Facebook account credentials to contact the victim’s associates, subsequently sending a spear-phishing email that included a password-protected RAR archive containing a decoy Word document related to North Korea and national security. Opening this document activated a macro that decrypted an embedded payload; this payload, a Visual Basic Application (VBA), ultimately retrieved a more comprehensive backdoor payload from a remote server.
Post-infection activities revealed that following a breach on March 22, 2021, the operators collected screenshots for two months. They later deployed an advanced malware known as Chinotto to control the victim’s device and exfiltrate sensitive information. Chinotto is particularly noteworthy because it includes a variant for Android that was distributed via smishing attacks, requesting broad permissions that allowed it to access messages, call logs, and data stored within a range of applications, including Huawei Drive and Tencent WeChat.
Kaspersky collaborated with emergency response teams in South Korea to dismantle the infrastructure supporting ScarCruft’s attacks and traced elements of Chinotto back to a previously used backdoor known as PoorWeb. This collaboration highlights the increasing vulnerability of journalists, defectors, and human rights advocates, who often lack the resources and tools to defend against sophisticated cyber threats.
Considering the tactics likely employed by the adversaries, the MITRE ATT&CK framework provides vital insights. Initial access through spear-phishing, persistence via malware installations, and privilege escalation during the exploitation phase reflect common methodologies likely utilized in these operations. As the landscape of cyber threats continues to evolve, businesses and organizations must remain vigilant and proactive in safeguarding sensitive information, especially those engaged in areas vulnerable to such targeted attacks.
