Email-based security is one of the most effective methods to help prevent malware infections from occurring in the first place. Utilizing proper email security controls, such as AV scanning and sandboxing for attachments, is highly recommended to help prevent malicious files or URLs from being presented to an end user. In cases where a malicious item may make it through, having strong endpoint security controls, such as an EDR, can help prevent a compromise of a system. EDRs not only provide great prevention capability, they also provide the ability to detect potentially malicious behavior. The infection chain used by this ScarCruft campaign exhibits many behaviors that could be considered suspicious. The HTML Help process hh.exe spawning a mshta.exe process, mshta.exe making external network connections and launching PowerShell, PowerShell making frequent outbound network connections to the same remote address, and PowerShell executing a cmd.exe process to launch further commands are all behaviors that can be considered suspicious. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.
https://thehackernews.com/2023/03/scarcrufts-evolving-arsenal-researchers.html
https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
https://blog.sekoia.io/peeking-at-reaper-surveillance-operations-against-north-korea-defectors/
