North Korean Hackers Steal Data via MP3 Files

Cybersecurity firm Check Point has revealed that North Korean hacking group Scarcruft has been using LNK files to deliver Trojan malware Rokrat since July 2022. Scarcruft, which also goes by the names Apt37, Inkysquid, Nickel Foxcroft, Reaper, Redeyes, and Ricochet Chollima, targets South Korean individuals and entities through phishing attacks. The group’s main program, Rokrat, is actively supported and capable of stealing accounting data, exfiltrating data, capturing screen images, gathering system information, executing commands and shells, and managing files and catalogs. The malware also includes mp3 files for masking, which were sent to cyber attackers through Dropbox, Microsoft OneDrive, PCloud, and Yandex Cloud services. Scarcruft also employs other malware such as Chinotto, Bluelight, GoldBackdoor, Dolphin, and M2rat. In November 2022, Scarcruft used ZIP archives containing LNK files to deploy Amadey bootloader for additional useful payloads. Check Point suggests that the LNK file, which can initiate infection with a simple double click, is better than N-Day exploits or macros found in Microsoft Office, which require additional clicks for infection.