Microsoft's implementation of default macro blocking across Office documents has prompted North Korean state-sponsored threat operation Scarcruft, also known as APT37, Nickel Foxcroft, RedEyes, InkySquid, Ricochet Chollima, and Reaper, to leverage oversized LNK files to facilitate RokRAT malware delivery since last July, according to The Hacker News.
Scarcruft has been launching spear-phishing attacks using LNK files to trigger multi-stage infection sequences that would eventually result in infections with the RokRAT malware, also known as DOGCALL, as well as its Android and macOS variants, dubbed RambleOn and CloudMensis, respectively, a report from Check Point showed.
All RokRAT malware variants could allow credential and data exfiltration, system information collection, shellcode and command execution, screenshot capture, and file and directory management, while the new double-click malware delivery approach was noted to be more reliable than Office macros and n-day exploits that needed more clicks.
"APT37 continues to pose a considerable threat, launching multiple campaigns across the platforms and significantly improving its malware delivery methods," said Check Point.
Malicious GitHub pages and YouTube videos containing links for purported cracked office software, automated trading bots, and game cheats, have been leveraged to facilitate the download of self-extracting password-protected archives.
While threat actors continued to impersonate employers on job search platforms to lure software developers into participating in an online interview that would be followed by BeaverTail malware compromise, more recent attacks entailed the deployment of a new Qt-based BeaverTail version that enabled browser credential and cryptocurrency wallet data exfiltration.
The U.S. Department of Justice announced that Ukrainian national Mark Sokolovsky, also known as raccoon-stealer, black21jack77777, and Photix, has admitted guilt in operating the Raccoon Infostealer malware-as-a-service operation.