ScarCruft Hackers Exploit LNK Files to Spread RokRAT for Cyberespionage

Written by Gabby Lee

June 1, 2023

ScarCruft Hackers Exploit LNK Files to Spread RokRAT for Cyberespionage

In a recent analysis, cybersecurity experts have provided detailed insights into the RokRAT remote access trojan, utilized by ScarCruft, a state-sponsored threat actor associated with North Korea.

RokRAT is an advanced RAT that plays a crucial role in the attacker’s overall strategy, granting unauthorized entry, extracting sensitive data, and potentially establishing persistent control over compromised systems.

ScarCruft, an espionage group with a track record dating back to 2012, conducts cyber operations on behalf of the North Korean government, specifically focusing on targets in South Korea.

ScarCruft, suspected to operate under the North Korean Ministry of State Security (MSS), employs sophisticated attack strategies that heavily rely on social engineering techniques to spear-phish victims and infiltrate target networks.

One notable method involves exploiting vulnerabilities in Hancom’s Hangul Word Processor (HWP), a popular productivity software used by public and private entities in South Korea. This exploitation allows ScarCruft to deploy the RokRAT malware.

The RokRAT Backdoor

Initially designed as a Windows backdoor named DOGCALL, RokRAT has undergone active development and maintenance. It has since expanded its reach to other operating systems, including macOS and Android.

Recent targeted phishing campaigns, as reported by the AhnLab Security Emergency Response Center (ASEC) and Check Point, have employed LNK files to initiate multi-stage infection sequences, ultimately leading to the deployment of the RokRAT malware.

RokRAT provides the threat actors with various capabilities, including collecting system metadata, capturing screenshots, executing remote commands, directory enumeration, and the exfiltration of specific files.

ASEC’s disclosure of a ScarCruft attack highlighted the use of a Windows executable disguised as a Hangul document, which drops malware programmed to establish contact with an external URL every 60 minutes.

Although the URL appears legitimate homepage, ASEC noted that it hosts a web shell, indicating malicious intent.

Related Articles

TransUnion Hacked by the Threat Actor ‘USDoD’

TransUnion Hacked by the Threat Actor ‘USDoD’

In a recent cybersecurity development, TransUnion, a prominent credit reporting agency, appears to be grappling with a potential data breach incident. A hacker, operating under the alias "USDoD," has allegedly compromised the personal information of 58,505 customers...

Stay Up to Date With The Latest News & Updates

Join Our Newsletter


Subscribe To Our Newsletter

Sign up to our weekly newsletter summarizing everything thats happened in data security, storage, and backup and disaster recovery

You have Successfully Subscribed!