ScarCruft, a North Korean-based threat actor group, has been seen using weaponized Microsoft Compiled HTML Help files to download additional malware on infected machines. The group, also known as APT37, Reaper, and RedEyes, has been seen increasing activity since the start of the year, targeting a number of entities in South Korea.
The infection chain for this campaign starts with a phishing email containing either a RAR or ZIP archive file. These archive files contain a malicious CHM file which, when executed, is used to launch a mshta.exe process. This mshta.exe process connects to a remote server controlled by the attacker to execute another payload that leads to a Chinotto PowerShell backdoor file being downloaded and executed. Persistence for this PowerShell backdoor is established by creating a Run key in the Registry on the infected system; this Run key is configured to re-execute the mshta.exe process on startup. The Chinotto malware contains the capability to execute commands on the system, after which the result is saved to a file and then sent back to the C2 via an HTTP POST request. The malware also includes the ability to capture screenshots of the system every five seconds and log keystrokes. This data is then saved in a ZIP file and sent back to the C2.
Insight into ScarCruft’s various attack vectors was possible due to a GitHub repository discovered to be maintained by the threat group. The GitHub repository existed for nearly two years, undetected, to host and stage malicious payloads for various campaigns.
Analyst Notes
Email-based security is one of the most effective methods to help prevent malware infections from occurring in the first place. Utilizing proper email security controls, such as AV scanning and sandboxing for attachments, is highly recommended to help prevent malicious files or URLs from being presented to an end user. In cases where a malicious item may make it through, having strong endpoint security controls, such as an EDR, can help prevent a compromise of a system. EDRs not only provide great prevention capability, they also provide the ability to detect potentially malicious behavior. The infection chain used by this ScarCruft campaign exhibits many behaviors that could be considered suspicious. The HTML Help process hh.exe spawning a mshta.exe process, mshta.exe making external network connections and launching PowerShell, PowerShell making frequent outbound network connections to the same remote address, and PowerShell executing a cmd.exe process to launch further commands are all behaviors that can be considered suspicious. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.
https://thehackernews.com/2023/03/scarcrufts-evolving-arsenal-researchers.html
https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
https://blog.sekoia.io/peeking-at-reaper-surveillance-operations-against-north-korea-defectors/
