SLOWDRIFT

The North Korean government does not shy away from using hacking groups to do their bidding on the international stage. They are known to have been working with the notorious Lazarus hacking group for years, which has carried out numerous attacks aimed at furthering North Korean interests politically. Recently, they have begun working with another hacking group – ScarCruft. The ScarCruft group also is known as APT37 (Advanced Persistent Threat). They have carried out attacks against Middle Eastern targets, but most of their victims are located in South Korea. The ScarCruft hacking group does not go after everyday users - their efforts are concentrated on individuals in prestigious positions or large organizations.

Propagation Method

Usually, the ScarCruft hacking group uses email campaigns to propagate their hacking tools. More specifically, they make sure the emails they send out to their targets look as believable and legitimate as possible. These emails would have an attached document, which is likely to be macro-laced. The message in the email would attempt to convince the user to execute the seemingly harmless attachment. This is how the user will give the green light to the unsafe payload stored in the corrupted attachment.

Able to Collect Data and Plant Additional Malware

The SLOWDRIFT threat, in particular, can be classified as a Trojan downloader. This hacking tool is meant to infiltrate the host and begin collecting information about the system. The data that the SLOWDRIFT Trojan is after is general information regarding the hardware and software of the infected host. Then, the data in question will be transferred to the operators of the SLOWDRIFT Trojan. This helps the ScarCruft hacking group determine how to continue the attack, and more specifically, which one of their other hacking tools would be most suitable for deployment as a second-stage payload. The SLOWDRIFT Trojan downloader serves as a gateway for the attackers to plant a more severe threat on the compromised system. Cybersecurity experts have determined that so far, the ScarCruft hacking group has used the SLOWDRIFT Trojan downloader to plant the ZUMKONG infostealer on their targeted computers.

The APT37 group is a rising star in the dark world of cyber crooks. If they continue improving their tools and techniques, they may soon be considered on the level of their fellow North Koreans dealing in the same sector - the infamous Lazarus hacking group.