Overview
Cybersecurity researchers from Seqrite Labs have identified a new spear‑phishing campaign dubbed Operation HanKook Phantom conducted by ScarCruft (APT37), a North Korea‑linked hacking group. The attackers send emails masquerading as the “National Intelligence Research Society Newsletter – Issue 52” to individuals associated with South Korean research and government circles. The objective appears to be espionage: stealing sensitive information, establishing persistence and conducting intelligence gathering.
Attack chain
The phishing email includes a ZIP archive containing a Windows shortcut (LNK) file disguised as a PDF document. When opened, the LNK launches a decoy newsletter while silently delivering RokRAT to the host. RokRAT is a remote‑access trojan capable of collecting system information, executing commands, enumerating file systems, capturing screenshots and downloading additional payloads. The stolen data is exfiltrated via Dropbox, Google Cloud, pCloud and Yandex Cloud.
Seqrite also discovered a second variant of the campaign: the LNK file triggers a PowerShell script that drops a decoy Word document and executes an obfuscated batch script to deploy a dropper. This second stage delivers additional malware, hides network traffic as a Chrome file upload and aims to maintain persistence.
Impact and recommended actions
The campaign targets South Korean academics, former government officials and researchers. It leverages legitimate‑looking documents, long‑standing trust and multi‑stage payloads to evade detection and deliver RokRAT. Organisations and individuals in academia or government should be particularly vigilant.
Recommended actions:
- Educate users on spear phishing: Train employees and researchers to scrutinise email attachments, especially ZIP files containing LNK shortcuts disguised as documents. Encourage them to report suspicious messages.
- Block LNK file attachments: Configure email security gateways to quarantine or block emails containing Windows shortcut files or other high‑risk attachments.
- Enable application whitelisting and macros controls: Restrict the execution of scripts and macros from untrusted sources, and implement application control policies to prevent unauthorized binaries.
- Monitor for RokRAT indicators: Use threat intelligence feeds to track known command‑and‑control domains and network patterns associated with RokRAT and other APT37 tools.
- Segregate sensitive networks: Apply network segmentation and least‑privilege principles to limit lateral movement if an infection occurs.
Conclusion
Operation HanKook Phantom demonstrates how ScarCruft continues to refine its espionage campaigns using targeted spear‑phishing and fileless malware loaders. By combining legitimate‑looking newsletters with multi‑stage payloads and sophisticated remote‑access tools like RokRAT, the group can harvest sensitive information while evading detection. Vigilance, user training, attachment filtering and network monitoring are essential to mitigate the risk of such attacks.
Sources: The Hacker News – ScarCruft Uses RokRAT Malware in Operation HanKook Phantom Targeting South Korean AcademicsOverview
Cybersecurity researchers from Seqrite Labs have identified a new spear‑phishing campaign dubbed Operation HanKook Phantom conducted by ScarCruft (APT37), a North Korea‑linked hacking group. The attackers send emails masquerading as the “National Intelligence Research Society Newsletter – Issue 52” to individuals associated with South Korean research and government circles. The objective appears to be espionage: stealing sensitive information, establishing persistence and conducting intelligence gathering.
Attack chain
The phishing email includes a ZIP archive containing a Windows shortcut (LNK) file disguised as a PDF document. When opened, the LNK launches a decoy newsletter while silently delivering RokRAT to the host. RokRAT is a remote‑access trojan capable of collecting system information, executing commands, enumerating file systems, capturing screenshots and downloading additional payloads. The stolen data is exfiltrated via Dropbox, Google Cloud, pCloud and Yandex Cloud.
Seqrite also discovered a second variant of the campaign: the LNK file triggers a PowerShell script that drops a decoy Word document and executes an obfuscated batch script to deploy a dropper. This second stage delivers additional malware, hides network traffic as a Chrome file upload and aims to maintain persistence.
Impact and recommended actions
The campaign targets South Korean academics, former government officials and researchers. It leverages legitimate‑looking documents, long‑standing trust and multi‑stage payloads to evade detection and deliver RokRAT. Organisations and individuals in academia or government should be particularly vigilant.
Recommended actions:
- Educate users on spear phishing: Train employees and researchers to scrutinise email attachments, especially ZIP files containing LNK shortcuts disguised as documents. Encourage them to report suspicious messages.
- Block LNK file attachments: Configure email security gateways to quarantine or block emails containing Windows shortcut files or other high‑risk attachments.
- Enable application whitelisting and macros controls: Restrict the execution of scripts and macros from untrusted sources, and implement application control policies to prevent unauthorized binaries.
- Monitor for RokRAT indicators: Use threat intelligence feeds to track known command‑and‑control domains and network patterns associated with RokRAT and other APT37 tools.
- Segregate sensitive networks: Apply network segmentation and least‑privilege principles to limit lateral movement if an infection occurs.
Conclusion
Operation HanKook Phantom demonstrates how ScarCruft continues to refine its espionage campaigns using targeted spear‑phishing and fileless malware loaders. By combining legitimate‑looking newsletters with multi‑stage payloads and sophisticated remote‑access tools like RokRAT, the group can harvest sensitive information while evading detection. Vigilance, user training, attachment filtering and network monitoring are essential to mitigate the risk of such attacks.
redsec.ninja 
Leave a comment