ScarCruft APT Deploys Zoho WorkDrive Backdoor and USB Malware for Air-Gapped Attacks

North Korean APT Group ScarCruft Targets Air-Gapped Networks with Novel Malware Tools

Security researchers at Zscaler ThreatLabz have uncovered a new cyber espionage campaign by the North Korean advanced persistent threat (APT) group ScarCruft, which leverages Zoho WorkDrive for command-and-control (C2) communications and USB-based malware to infiltrate air-gapped networks. The campaign, tracked as Ruby Jumper, highlights the group’s evolving tactics to bypass traditional security defenses.

Technical Details of the Attack

The Ruby Jumper campaign employs two primary malware components:

1. Zoho WorkDrive Backdoor

   • A custom backdoor that abuses Zoho WorkDrive’s cloud storage service for C2 communications.
   • The malware retrieves additional payloads by exfiltrating data to and from the compromised WorkDrive account.
   • This technique allows attackers to evade detection by blending malicious traffic with legitimate cloud service usage.

2. USB-Based Implant

   • A secondary malware strain designed to propagate via removable USB drives.
   • Once inserted into an air-gapped system, the implant executes predefined commands and exfiltrates data back to the attacker-controlled infrastructure.
   • This method enables lateral movement and data theft in environments where direct internet access is restricted.

Zscaler’s analysis indicates that ScarCruft continues to refine its toolset, likely in response to increased scrutiny of its previous attack methods.

Impact and Attribution

ScarCruft, also known as APT37 or Reaper, is a North Korean state-sponsored threat group with a history of targeting government, defense, and critical infrastructure sectors. The use of Zoho WorkDrive and USB malware suggests a shift toward living-off-the-land (LotL) techniques and physical media-based attacks to evade network-based defenses.

The campaign’s focus on air-gapped networks—common in high-security environments such as military and nuclear facilities—raises concerns about potential espionage and data exfiltration risks.

Recommendations for Defense

Security teams should implement the following mitigations to detect and prevent similar attacks:

• Monitor Cloud Service Usage: Audit and restrict access to Zoho WorkDrive and other cloud storage platforms, particularly for unusual data transfer patterns.
• USB Device Control: Enforce strict policies on removable media usage, including whitelisting approved devices and scanning for malicious payloads.
• Network Segmentation: Isolate air-gapped systems from less secure networks to limit lateral movement.
• Endpoint Detection and Response (EDR): Deploy advanced EDR solutions to detect anomalous behavior, such as unauthorized C2 communications.
• Threat Intelligence Sharing: Stay updated on ScarCruft’s TTPs (tactics, techniques, and procedures) through threat intelligence feeds.

Zscaler ThreatLabz has not disclosed specific victim details but emphasizes the need for heightened vigilance against North Korean APT threats targeting sensitive infrastructure.

For further technical analysis, refer to Zscaler’s full report on the Ruby Jumper campaign.