Ethical Hacking News
The ScarCruft APT group has been identified as a sophisticated threat actor linked to North Korea's Ministry of State Security. The group employs various tactics and techniques, including the use of malware tools such as "FadeStealer" and "AblyGo backdoor." SentinelOne researchers have observed an increase in activity from ScarCruft, indicating a continued focus on acquiring strategic intelligence and possibly gaining insights into non-public cyber threat intelligence and defense strategies. The group's tactics and techniques employed by the ScarCruft APT group are likely to evolve over time, making it essential for organizations to remain vigilant and implement robust cybersecurity measures to protect themselves against these threats.
SentinelOne has identified a sophisticated threat actor known as ScarCruft, believed to be affiliated with North Korea's Ministry of State Security (MSS). The ScarCruft APT group is linked to various threats, including the "FadeStealer" info-stealer and the "AblyGo backdoor" custom malware. The threat actors employ tactics such as spear phishing emails, hidden malware disguised as a password file, and wiretapping using microphones. ScarCruft's initial breach leads to the installation of a backdoor, which connects with command and control servers operated by attackers. There are several variants of the "FadeStealer" malware, each with unique capabilities, including data theft, system information discovery, and communication over web services. The ScarCruft APT group is linked to the RedEyes APT group, a state-sponsored actor focused on targeting individuals and organizations related to North Korean traitors and EU-based organizations.
SentinelOne, a renowned cybersecurity firm, has recently uncovered evidence of a sophisticated threat actor known as ScarCruft, which is believed to be affiliated with North Korea's Ministry of State Security (MSS). The ScarCruft APT group has been identified by SentinelOne researchers through its involvement in various cyber espionage campaigns targeting media organizations and high-profile experts in North Korean affairs.
The ScarCruft APT group has been linked to several notable threats, including the "FadeStealer" info-stealer, a malware tool that enables threat actors to listen in on victims' microphones and capture audio through wiretapping. The "AblyGo backdoor" is another custom malware used by the threat actors, which leverages the Ably API service provider as a command and control platform.
The researchers at SentinelOne have also identified various other tactics and techniques employed by the ScarCruft APT group, including the use of spear phishing emails containing password-protected documents and hidden malware disguised as a password file. The threat actors have been known to trick targets into opening the CHM file, which secretly downloads a PowerShell script that infects their Windows computer.
The initial breach is followed by the installation of a backdoor, which connects with command and control servers operated by the attackers. This backdoor serves as a conduit for the deployment of additional malware, including the "FadeStealer," which steals various information from Windows devices.
The SentinelOne researchers have also discovered several other variants of the FadeStealer malware, each with its own unique set of capabilities. The variants include:
* S0240: This variant of the FadeStealer malware is capable of stealing a wide range of data, including credentials from password stores, data from local systems, and screen captures.
* S0217: This variant of the malware includes the capability to transfer ingressive tools, capture screens, and discover system information.
* S0218: This variant of the malware focuses on transferring ingressive tools, discovering system information, and communicating over web services.
* S0219: This variant of the malware is capable of discovering application window discovery, command and scripting interpreter capabilities, file and directory discovery, process discovery, system information discovery, and system owner/user discovery.
The SentinelOne researchers have also identified the AblyGo backdoor as a custom malware that leverages the Ably API service provider to establish communication with the C2 server. This backdoor is used to deploy additional malware, including the "FadeStealer," which steals various information from Windows devices.
The ScarCruft APT group has been linked to several notable threats, including the RedEyes APT group, which has been active since at least 2012 and is known for its involvement in cyber espionage attacks aligned with the interests of North Korea. The RedEyes APT group has been identified as a state-sponsored actor that focuses on targeting individuals and organizations related to North Korean traitors, educational institutions, and EU-based organizations.
In recent months, SentinelOne researchers have observed an increase in activity from ScarCruft, indicating a continued focus on acquiring strategic intelligence and possibly gaining insights into non-public cyber threat intelligence and defense strategies. The group's tactics and techniques employed by the ScarCruft APT group are likely to evolve over time, making it essential for organizations to remain vigilant and implement robust cybersecurity measures to protect themselves against these threats.
Related Information:
https://thehackernews.com/2024/10/north-korean-hackers-using-new.html
https://www.cyclonis.com/north-korean-hackers-use-veilshell-malware-secret-cyber-attacks/
https://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/
https://www.darkreading.com/threat-intelligence/north-koreasc-arcruft-attackers-target-cybersecurity-pros
https://www.pcrisk.com/removal-guides/27089-fadestealer-malware
https://www.bleepingcomputer.com/news/security/apt37-hackers-deploy-new-fadestealer-eavesdropping-malware/
https://asec.ahnlab.com/en/54349/
https://www.bleepingcomputer.com/news/security/redeyes-hackers-use-new-malware-to-steal-data-from-windows-phones/
https://cybersecuritynews.com/redeyes-apt-group/
https://attack.mitre.org/groups/G0067/
Published: Fri Oct 4 14:47:50 2024 by llama3.2 3B Q4_K_M
