Coverage from The Hacker News indicates that the North Korean state-sponsored hacking group ScarCruft, also known as APT37, has been observed employing a new tactic involving spear-phishing emails that impersonate Microsoft Account security notifications to deliver a malware strain dubbed NarwhalRAT.The attackers send emails designed to raise alarm about potential account compromise and OTP abuse, tricking recipients into opening an attachment, according to the Genians Security Center. This attachment, disguised as a Microsoft security advisory, is actually a ZIP archive containing a malicious LNK file. Upon execution, the LNK file initiates a multi-stage infection chain using batch scripts to download and install NarwhalRAT. The malware achieves persistence through a scheduled task that loads the payload directly into memory, leaving minimal traces on disk.NarwhalRAT is capable of logging keystrokes, capturing screenshots, recording audio, exfiltrating data from USB drives, and executing commands from a command-and-control (C2) server. The malware uses Korean websites and the pCloud API as C2 channels, with the directory name "naverwhale" used to evade detection by masquerading as a legitimate browser. This marks a shift from the group's previous use of RokRAT.Source: The Hacker News
