North Korean APT Adapts to Macro-Blocking by Employing LNK Trick
North Korean APT 37, also known as "Scarcruft," has been found utilizing a sophisticated LNK switch-up to bypass macro-blocking in cyber espionage attacks, delivering RokRAT malware
Photo: Unsplash
The advanced persistent threat (APT) group is believed to have links to North Korea's Ministry of State Security (MSS) and is known for its domestic counterespionage and overseas counterintelligence activities.
Scarcruft has a history of employing innovative anti-malware evasion techniques, such as the Flash Player exploit (CVE-2016-4117) and leveraging compromised servers, messaging platforms, and cloud service providers to avoid detection and establish command and control (C2). The group often uses cloud services like Dropbox, Microsoft OneDrive, pCloud, and Yandex Cloud to mask their C2 communications as legitimate.
The APT group has primarily targeted South Korean individuals and organizations through spear-phishing attacks designed to deliver various custom tools, including wiper-malware, credential stealers like ZUMKONG, and audio capturing utilities like SOUNDWAVE.
Once C2 is established, APT 37 engages in credential theft, data exfiltration, screenshot capture, system information gathering, command and shellcode execution, and file and directory management.
In response to Microsoft Security's 2022 default macro-lockdown measures, Scarcruft is believed to have started experimenting with oversized LNK files as a delivery route for RokRAT malware. This approach employs multi-stage infection chains to circumvent the blocked macros mitigation efforts.
RokRAT and its variants are equipped to carry out a wide range of activities, such as credential theft, data exfiltration, screenshot capture, system information gathering, command and shellcode execution, and file and directory management.
In April 2023, Scarcruft utilized macro-based Word documents, employing LNK files as decoys to activate the infection chain. This tactic was discovered by the AhnLab Security Emergency Response Center (ASEC) last week when they found PowerShell commands deploying RokRAT malware. In 2021, Malwarebytes reported a novel use of an embedded macro leveraging VBA (Visual Basic for Applications) for self-decoding. This technique enabled the macro to decode itself within the memory spaces of Microsoft Office applications, bypassing the need to write to the hard disk.
Following the decoding process, the infection chain then deployed a variant of the RokRAT malware into Notepad. This discovery highlights the continuous evolution and sophistication of cyber threat actors, as they seek to exploit system vulnerabilities and avoid detection.
Security teams must remain vigilant, as hackers continue to evolve their tactics to exploit cloud storage and applications for command and control purposes, using multi-chain attacks that leverage macros and PowerShell commands.