Lazarus, Scarcruft North Korean APTs Shift Tactics, Thrive

North Korean state advanced persistent threats (APTs) are evolving: developing new payloads; modifying their tactics, techniques, and procedures (TTPs); and targeting new sectors and individuals without bias — even if those individuals themselves happen to be North Koreans.

In its APT trends report for the first quarter of 2023, Kaspersky highlighted developments in APT activity across the globe. In Russia, for example, threat actors are overlapping and collaborating, despite some crucial differences in motivations. And in Iran, known groups like MuddyWater and OilRig are carrying out new campaigns and modifying their malware, with the former in particular spreading to countries as far and wide as Egypt, Canada, and Malaysia.

Meanwhile, Southeast Asia "has been a key area of development," says David Emm, senior security researcher at Kaspersky, "and it doesn't show any signs of slowing down any time soon."

An area of particular note is North Korea, where state-sponsored entities like Scarcruft and the notorious Lazarus Group are upgrading their malware to go after some somewhat unexpected targets. Lazarus, for example, is targeting organizations in countries one might not immediately associate with North Korean interests — for example, Bulgaria — while Scarcruft is attacking North Koreans themselves.

An Update on Lazarus Group

Lazarus Group's most famous exploits may be long in the past now, but it's still as active as ever.

In 2022, for example, the group leveraged the Log4j crisis to deploy its DTrack backdoor and other post-exploitation malware onto networks belonging to organizations in the field of scientific research: biomedical, genetics, soil sciences, and energy.

More recently, in a campaign that ended this January, the group weaponized a backdoored client for the open source remote administration tool UltraVNC. Its zombified UltraVNC might have seemed to operate normally on the surface, while it covertly exfiltrated data about the host computer and downloaded to it a brand-new version of Blindincan

Blindincan is a remote access Trojan that enables Lazarus to read, write, and delete files (among other things), retrieve information about a host's OS and disks, and more. The newest version introduced plug-ins to expand upon the original's functionality.

Analysis of the January 2023 campaign suggested that Blindincan was deployed against organizations in the manufacturing and real estate sectors in India and telecommunications companies in Pakistan and Bulgaria.

What Else is Going on in North Korea

Meanwhile, Kaspersky's researchers observed the Scarcruft APT deploying a new info-stealer called "SidLevel," written in Go, a popular trend among Southeast Asian hackers as of late.

After obtaining access to data from the attackers' command-and-control C2 servers, the researchers found a wealth of stolen information not from foreign targets, but domestic ones — and not just domestic targets but individuals: novelists, students, and businesspeople from North Korea itself.

Being one person against the might of a nation-state APT is a tricky position to be in, Emm acknowledges, but it's not as uncommon as it sounds.

"You know, often when an APT goes after organizations, they will actually go after individuals," he points out. Hackers often target low-level employees with access to broader IT infrastructure in a large enterprise, or they go directly for the throat: spear-phishing a high-level executive or administrator with privileged access to sensitive documents or systems.

"For organizations and individuals, the key is to decide if you are in that category — that you may be a person of interest," he says. "Then, you really need to think above and beyond. Being able to detect suspicious activity, and taking great care over the data that you're holding onto, needs to be over and above what maybe an ordinary individual would do."