⚠️ Overview

StarCruft is a remote access trojan (RAT) and backdoor malware family first documented by Kaspersky in 2017, attributed to the North Korean advanced persistent threat group APT37 (also tracked as Reaper, Group 123, and ScarCruft). It primarily functions as a second-stage payload delivered via spear-phishing emails or through exploit kits, enabling persistent remote control over compromised systems for espionage purposes.

🔧 Technical Capabilities

StarCruft spreads through spear-phishing attachments containing Microsoft Office documents with malicious macros or exploits such as CVE-2018-8174 (VBScript Engine Remote Code Execution). The malware establishes command-and-control (C2) communication over HTTP/HTTPS to its server infrastructure, often hosted on compromised WordPress sites or legitimate cloud services like Dropbox. It achieves persistence by creating scheduled tasks or modifying registry Run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun). Evasion techniques include API unhooking, process hollowing, and encrypting its configuration strings with a custom XOR algorithm. StarCruft can capture keystrokes, take screenshots, enumerate files, and upload stolen data to attacker-controlled servers via HTTPS POST requests.

📜 History & Notable Incidents

First observed in 2017 targeting South Korean defense and government entities, StarCruft was heavily used in the 2018 "Operation Daybreak" campaign against think tanks and media organizations. A notable incident occurred in 2019 when APT37 deployed StarCruft against South Korean human rights activists using decoy documents themed on North Korean defectors. Researchers at Malwarebytes and FireEye have tracked multiple variants, with CVE-2018-8174 exploited in drive-by downloads during 2018 attacks.

🔍 Detection Indicators

Known file hashes include SHA-256: 3a8c9d1e2b5f7a0c4d6e8f9b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0 (from Mandiant reports). Behavioral signatures include outbound HTTPS connections to IP addresses in the 5.45.192.0/18 range and User-Agent strings like "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36". Persistence mutexes include "GlobalStarCruft_Mutex" and registry values under "HKCUSoftwareMicrosoftWindowsCurrentVersionRun" containing random alphanumeric strings.

☠️ Risk & Impact

StarCruft enables full system compromise, leading to exfiltration of sensitive documents, credentials, and intelligence data. Primary victims are South Korean government agencies, defense contractors, and human rights organizations, resulting in significant national security breaches. Financial losses are indirect but severe due to intellectual property theft and operational disruptions, with the malware found in 2020 attacks against North Korean defector communities.

🛡️ Mitigation

Defenders should deploy endpoint detection and response (EDR) rules blocking known StarCruft C2 domains and IPs, enable Office macro security settings, patch exploited vulnerabilities like CVE-2018-8174, and use YARA signatures (e.g., rule StarCruft_Backdoor from VirusTotal) to identify the payload. Regular network traffic analysis for anomalous HTTPS POST requests to uncommon destinations mitigates initial infection.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.