Air-Gapped Network Breach via ScarCruft’s Zoho WorkDrive and USB Malware Exploit
North Korean Threat Actor ScarCruft Expands Toolkit with Zoho WorkDrive and USB Malware
A recent campaign attributed to the North Korean threat actor ScarCruft has revealed the group’s use of novel tools to breach air-gapped networks. The campaign, dubbed Ruby Jumper, involves the deployment of multiple malware families, including RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT. These tools facilitate surveillance on victim systems and enable the threat actor to move laterally within a network.
The Attack Begins
The attack begins with a malicious LNK file, which launches a PowerShell script that scans the current directory to locate itself based on file size. The script then extracts multiple embedded payloads, including a decoy document, an executable payload, an additional PowerShell script, and a batch file. One of the lure documents used in the campaign is an article about the Palestine-Israel conflict translated from a North Korean newspaper into Arabic.
Malware Components
The Windows executable payload, RESTLEAF, is spawned in memory and uses Zoho WorkDrive for command-and-control (C2) communications, marking the first time ScarCruft has abused the cloud storage service in its attack campaigns. Once authenticated with the Zoho WorkDrive infrastructure using a valid access token, RESTLEAF downloads additional payloads, including THUMBSBD and FOOTWINE.
THUMBSBD is a malware component that uses removable media to relay commands and transfer data between internet-connected and air-gapped systems. It is capable of harvesting system information and is designed to distribute BLUELIGHT, a backdoor previously attributed to ScarCruft since at least 2021. BLUELIGHT uses legitimate cloud providers, including Google Drive, Microsoft OneDrive, pCloud, and BackBlaze, for C2 to run arbitrary commands and enumerate the file system.
FOOTWINE is an encrypted payload with an integrated shellcode launcher that comes equipped with keylogging and audio and video capturing capabilities to conduct surveillance. It communicates with a C2 server using a custom binary protocol over TCP. The complete set of commands supported by the malware includes interactive command shell, file and directory manipulation, plugin and configuration management, Windows Registry modification, process enumeration, screenshot and keystroke capture, and audio and video surveillance.
VIRUSTASK Malware Component
VIRUSTASK is another malware component that functions similarly to THUMBSBD, acting as a removable media propagation component to spread the malware to non-infected air-gapped systems. Unlike THUMBSBD, which handles command execution and exfiltration, VIRUSTASK focuses exclusively on weaponizing removable media to achieve initial access on air-gapped systems.
Conclusion
The Ruby Jumper campaign demonstrates ScarCruft’s ability to adapt and evolve its tactics, techniques, and procedures (TTPs) to breach air-gapped networks. The use of legitimate cloud services, such as Zoho WorkDrive, and removable media highlights the group’s resourcefulness and determination to achieve its objectives.
About Author
English