A North Korean government-sponsored hacking group known as ScarCruft (APT37) has been spotted using phishing messages masquerading as Microsoft Account security alerts to deliver malware called. NarwhalRAT.
“The attack email contained a message impersonating an MS security account,” Genians Security Center (GSC) said. “It was designed to create concern about account compromise and OTP abuse, thereby enticing the recipient to use the attachment.”
“The email organization instructed the recipient to refer to the attached advisory. However, the original attachment was not an HWP [Hangul Word Processor] document, but a ZIP archive containing a malicious LNK file.”
The email message claims “unusual activity” related to repeatedly creating one-time passwords, passes it off as a third-party phishing attempt targeting a Microsoft Account, and urges them to change their password. The ultimate goal of a phishing message is to induce a false sense of urgency and trick the victim into interpreting the email as a legitimate security warning.
The LNK file, once executed, starts a multi-stage infection chain that uses cluster scripts to download and install NarwhalRAT, as well as retrieve the official Python executable from the official website and the Windows security catalog (CAT) file. Persistence is achieved through a scheduled task, which is configured to launch a CAT file responsible for downloading and executing a large payload in memory without leaving any artifacts on disk.
The Python-based malware is equipped to capture keystrokes, take screenshots (with support for high-resolution images), record ambient sound, load directory contents, collect active window information, collect data from USB media, execute commands issued by the command and control server (C2), and change C2 servers.
The moniker NarwhalRAT is a reference to using the malware “%APPDATA%naverwhale” to edit harvested information from a vulnerable host. The name of the hidden directory is an attempt to evade detection by pretending to be Naver Whale, a web browser developed by the South Korean technology company Naver Corporation.
APT37’s NarwhalRAT deployment is notable as it marks a departure from RokRAT, a malware family said to be part of a hacking group.
“From C2’s infrastructure perspective, the malware is using Korean websites, including ‘daehoat[.]com’ and ‘novel21[.]co.kr,’ as the main means of communication, while using communication functionality based on the pCloud cloud storage API,” the South Korean cybersecurity company said.
“In particular, pCloud-specific processes that process ‘foldaid’ and ‘auth’ parameters were identified within the code. This indicates that the malware was designed to use the official cloud service as a second C2 channel in the form of a dead drop resolver.”
Genians said the operation shares “many similarities” with previous Python-based attacks orchestrated by ScarCruft, including a phishing campaign that used ticket validation and event invites to trick potential targets into opening ZIP archives containing LNK files.
The attack chain plays out the same way in that the LNK file acts as a pipeline for an obfuscated batch script downloaded from a remote C2 server, then downloads a Python binary and a CAT file, ultimately leading to the use of a Python script that can execute a remote command and return results to the C2 server.
Interestingly, the structured function names used to set persistence follow the same naming convention. While the NarwhalRAT infection creates a scheduled task called “MicrosoftUserInterfacePicturesUpdateTackMachine,” the second thread uses the name “MicrosoftMusicLibrariesPackageTaskMachine.”
“Overall, NarwhalRAT is evaluated as an advanced RAT malware that includes a Python-based multi-stage loader, a memory framework, a multi-C2 framework, and information gathering functions,” Genians said.
