North Korean Hackers Weaponize Fake Research to Deliver RokRAT Backdoor

SentinelOne researchers have uncovered a new infection chain where North Korean actors are posing as a member of the North Korea Research Institute to trick recipients into opening a ZIP archive that contains malicious files designed to infect the targeted system with RokRAT backdoor malware. In total the archive contains 9 files, seven of which are benign while the other two are malicious Windows shortcut files (”intelligence.lnk” and “news.lnk”). The first LNK file is designed to open a legitimate Notepad application as a decoy while the second file paves the way for the execution of RokRAT via malicious shellcode.

Security Officer Comments:
SentinelOne has attributed the latest campaign which was initiated in December 2023, to ScarCruft, aka APT 37, InkySquid, RedEyes, Ricochet Chollima, and Ruby Sleet. In particular, this group is known for targeting governments and defectors via spear-phishing lures to deliver RokRAT and other payloads, with the end goal of conducting cyber espionage. Researchers say that the latest campaign is going after cybersecurity professionals who might be interested in or who have collected intelligence surrounding North Korea. By infecting these individuals, the actors hope to gain insights into non-public cyber threat intelligence and defense strategies which can be further used to their advantage.

Suggested Corrections:
Given that ScarCruft uses spear-phishing to distribute malware and compromise systems, users should take caution and avoid opening links or attachments in emails that come from unknown senders. For detection purposes, SentinelOne has also included emails and domains employed by ScarCruft actors to carry out their operations. These can be accessed using the link below: