SHUTTERSPEED

The newly rising star on the North Korean cybercrime stage is the ScarCruft hacking group. It also is known under the APT37 (Advanced Persistent Threat) alias. The ScarCruft hacking group is likely to be funded by the government of North Korea directly. This is why it is almost certain that the APT37 group is one of the attack dogs of Kim Jong-Un. This is why it makes sense that most of the targets of the ScarCruft hacking group are either government-linked institutions or high-ranking officials, usually located in South Korea. One of the tools in the arsenal of the ScarCruft hacking group is the SHUTTERSPEED backdoor Trojan. This threat is meant to be used as a first-stage payload, which serves to deploy additional threats on the compromised machine. The SHUTTERSPEED Trojan also can collect system information (software and hardware) about the host. This helps the attackers determine how to continue the attack in the most efficient manner.

Exploits a Known Vulnerability

In 2017 the SHUTTERSPEED backdoor Trojan was employed in a rather large campaign. The infection vector used was ‘.RTF’ files. A macro-script was planted within the files in question. These macro-scripts were designed to exploit certain vulnerabilities such as CVE-2017-0199. Exploiting this vulnerability allows the operators of the SHUTTERSPEED Trojan to run commands via a uniquely created ‘.RTF’ file. This enables the attackers to collect data regarding the hardware of the host and the software present on the system. The collected data would then be transferred to the C&C (Command & Control) server of the attackers. The SHUTTERSPEED backdoor Trojan also can be used to plant more hacking tools on the compromised machine, which can cause further damage.

The APT37 may not be as popular as the other North Korean hacking group known as Lazarus, but they are developing very fast certainly, and there is no doubt we will continue to read about their campaigns in the future.