Full Report
The North Korean hacking group tracked as APT37 (aka ScarCruft) has been attributed to a fresh multi-stage, social engineering campaign in which threat actors approached targets on Facebook and added them as friends on the social media platform, turning the trust-building exercise into a delivery channel for a remote access trojan called RokRAT. "The threat actor used two Facebook
Analysis Summary
# Threat Actor: APT37
## Attribution & Identity
* **Primary Name:** APT37
* **Aliases:** ScarCruft, Reaper, RedEyes, Group123, Ricochet Chollima.
* **Origin:** North Korea (Democratic People's Republic of Korea).
* **Associations:** Linked to the North Korean government, specifically suspected to be under the Ministry of State Security.
## Activity Summary
The actor is currently engaged in a multi-stage social engineering campaign leveraging social media platforms. The group utilizes Facebook to identify and approach targets, initiating "friend requests" to build long-term rapport and trust. Once a relationship is established, the platform is used as a delivery vector for malicious payloads.
## Tactics, Techniques & Procedures
* **Social Engineering:** Uses Facebook to build trust with targets before delivering malware.
* **Multi-stage Infection:** Employs complex infection chains to deploy final stage payloads.
* **Phishing/Lure Delivery:** Movement from social media interactions to file sharing or direct links.
* **Remote Access:** Use of sophisticated Trojans for persistence and data exfiltration.
*(MITRE ATT&CK Mapping based on delivery method)*
* **T1566.003:** Phishing: Spearphishing via Service (Facebook)
* **T1204.001:** User Execution: Malicious Link
* **T1071.001:** Application Layer Protocol: Web Protocols (C2 communications)
## Targeting
* **Sectors:** Defectors, human rights organizations, government officials, and individuals specializing in North Korean affairs.
* **Geography:** Primarily South Korea, though interests extend globally to North Korean diaspora and policy experts.
* **Victims:** Specific individuals targeted via personalized social media profiles.
## Tools & Infrastructure
* **Malware Families:** **RokRAT** (a sophisticated Remote Access Trojan known for using legitimate cloud services for C2 to bypass detection).
* **Infrastructure:**
* Social Media: Facebook (used for initial contact and trust-building).
* C2: RokRAT historically utilizes cloud-based APIs (e.g., pCloud, Dropbox, Yandex) for command and control.
## Implications
This campaign highlights APT37's shift toward high-touch social engineering. By investing time into building trust on social media, the actor significantly increases the likelihood of a successful infection, as targets are less likely to report or scan files received from an established "friend." This represents a persistent threat to civil society and high-value individuals involved in Korean Peninsula geopolitics.
## Mitigations
* **Social Media Hygiene:** Implement strict privacy settings and educate high-risk employees on the dangers of accepting friend requests from unknown individuals.
* **Verification:** Verify the identity of new connections via secondary, out-of-band communication channels.
* **Endpoint Detection:** Deploy EDR/AV solutions capable of detecting memory-only threats and anomalous behavior associated with RokRAT.
* **Cloud API Monitoring:** Monitor and restrict unauthorized API calls to public cloud storage providers (e.g., pCloud, OneDrive) from sensitive internal hosts.