Media organizations and high-profile experts in North Korean affairs have been at the receiving end of a new campaign orchestrated by a threat actor known as ScarCruft in December 2023.
媒体组织和朝鲜事务的知名专家们在2023年12月成为威胁行为者ScarCruft发起的新活动的受害者。
"ScarCruft has been experimenting with new infection chains, including the use of a technical threat research report as a decoy, likely targeting consumers of threat intelligence like cybersecurity professionals," SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said in a report shared with The Hacker News.
"ScarCruft一直在尝试新的感染链,包括使用技术威胁研究报告作为诱饵,可能针对网络安全专业人员等威胁情报的消费者",SentinelOne的研究人员Aleksandar Milenkoski和Tom Hegel在与The Hacker News分享的报告中说。
The North Korea-linked adversary, also known by the name APT37, InkySquid, RedEyes, Ricochet Chollima, and Ruby Sleet, is assessed to be part of the Ministry of State Security (MSS), placing it apart from Lazarus Group and Kimsuky, which are elements within the Reconnaissance General Bureau (RGB).
这个与朝鲜有关的对手,也被称为APT37,InkySquid,RedEyes,Ricochet Chollima和Ruby Sleet,被评估为国家安全部(MSS)的一部分,使其与Lazarus Group和Kimsuky分开,后者是在侦察总局(RGB)内的元素。
The group is known for its targeting of governments and defectors, leveraging spear-phishing lures to deliver RokRAT and other backdoors with the ultimate goal of covert intelligence gathering in pursuit of North Korea's strategic interests.
该组织以瞄准政府和叛逃者而闻名,利用鱿鱼式钓鱼诱饵传送RokRAT和其他后门,最终目标是秘密收集情报,以追求朝鲜的战略利益。
In August 2023, ScarCruft was linked to an attack on Russian missile engineering company NPO Mashinostroyeniya alongside Lazarus Group in what has been deemed as a "highly desirable strategic espionage mission" designed to benefit its controversial missile program.
2023年8月,ScarCruft被认定与对俄罗斯导弹工程公司NPO Mashinostroyeniya的攻击有关,与Lazarus Group一起进行了一次“高度理想的战略间谍任务”,旨在促进其备受争议的导弹计划。
Earlier this week, North Korean state media reported that the country had carried out a test of its "underwater nuclear weapons system" in response to drills by the U.S., South Korea, and Japan, describing the exercises as a threat to its national security.
本周早些时候,朝鲜国家媒体报道称,朝鲜对美国、韩国和日本的军演进行了一次“水下核武器系统”试验,称这些演习威胁了其国家安全。
The latest attack chain observed by SentinelOne targeted an expert in North Korean affairs by posing as a member of the North Korea Research Institute, urging the recipient to open a ZIP archive file containing presentation materials.
SentinelOne最近观察到的最新攻击链针对朝鲜事务专家,冒充朝鲜研究所的成员,敦促接收者打开包含展示材料的ZIP压缩文件。
While seven of the nine files in the archive are benign, two of them are malicious Windows shortcut (LNK) files, mirroring a multi-stage infection sequence previously disclosed by Check Point in May 2023 to distribute the RokRAT backdoor.
尽管存档中的九个文件中有七个是良性的,但其中两个是恶意的Windows快捷方式(LNK)文件,反映了一种多阶段感染顺序,是Check Point在2023年5月披露的分发RokRAT后门的感染程序。
There is evidence to suggest that some of the individuals who were targeted around December 13, 2023, were also previously singled out a month prior on November 16, 2023.
有证据表明,在2023年12月13日左右被攻击的一些人之前,一个月前的11月16日曾被单独针对。
SentinelOne said its investigation also uncovered malware – two LNK files ("inteligence.lnk" and "news.lnk") as well as shellcode variants delivering RokRAT – that's said to be part of the threat actor's planning and testing processes.
SentinelOne称,其调查还发现了恶意软件——两个LNK文件("inteligence.lnk"和"news.lnk")以及传送RokRAT的shellcode变体——据说是威胁行为者的规划和测试过程的一部分。
While the former shortcut file just opens the legitimate Notepad application, the shellcode executed via news.lnk paves the way for the deployment of RokRAT, although this infection procedure is yet to be observed in the wild, indicating its likely use for future campaigns.
尽管前者的快捷方式文件只是打开了合法的记事本应用程序,但通过news.lnk执行的shellcode为RokRAT的部署铺平了道路,尽管这种感染过程尚未在野外观察到,但这表明其可能被用于未来的活动。
The development is a sign that the nation-state hacking crew is actively tweaking its modus operandi likely in an effort to circumvent detection in response to public disclosure about its tactics and techniques.
这一发展表明,这个国家黑客团队正在积极调整其作案方式,以应对公开披露其战术和技术的公众反应。
"ScarCruft remains committed to acquiring strategic intelligence and possibly intends to gain insights into non-public cyber threat intelligence and defense strategies," the researchers said.
"ScarCruft仍致力于获取战略情报,并可能意图获取非公开的网络威胁情报和防御战略的见解",研究人员说。
"This enables the adversary to gain a better understanding of how the international community perceives developments in North Korea, thereby contributing to North Korea's decision-making processes."
"这使得对手能更好地了解国际社会如何看待朝鲜的发展,从而有助于朝鲜的决策过程。"
推荐站内搜索:最好用的开发软件、免费开源系统、渗透测试工具云盘下载、最新渗透测试资料、最新黑客工具下载……
还没有评论,来说两句吧...