HackRead reports that spear-phishing attacks spreading the RokRAT tool have been deployed by North Korean state-sponsored threat group ScarCruft, also known as APT37, against South Korean academics, former government officials, and researchers as part the HanKook Phantom cyberespionage campaign.
APT37 commences intrusions by delivering malicious emails purporting to be a research society newsletter, which includes a PDF attachment that covertly injects RokRAT to facilitate screenshot capturing and sensitive data exfiltration, according to an analysis from Seqrite Labs. Another attack delivered RokRAT through illicit emails containing a public statement from North Korean politician and diplomat Kim Yo Jong, sister of North Korean leader Kim Jong Un, that dismisses reconciliation with South Korea. Multiple other countries, including Russia, China, India, Nepal, and Romania, have been targeted by previous ScarCruft attack campaigns. Moreover, the ChinopuNK hacking operation, a subgroup of ScarCruft, was reported by S2W to have adopted the novel VCD ransomware in recent intrusions.
APT37 commences intrusions by delivering malicious emails purporting to be a research society newsletter, which includes a PDF attachment that covertly injects RokRAT to facilitate screenshot capturing and sensitive data exfiltration, according to an analysis from Seqrite Labs. Another attack delivered RokRAT through illicit emails containing a public statement from North Korean politician and diplomat Kim Yo Jong, sister of North Korean leader Kim Jong Un, that dismisses reconciliation with South Korea. Multiple other countries, including Russia, China, India, Nepal, and Romania, have been targeted by previous ScarCruft attack campaigns. Moreover, the ChinopuNK hacking operation, a subgroup of ScarCruft, was reported by S2W to have adopted the novel VCD ransomware in recent intrusions.
