ScarCruft Uses Zoho WorkDrive and USB Malware to Breach Air-Gapped Networks
Summary
The North Korean threat actor ScarCruft is using new tools, including a Zoho WorkDrive backdoor for C2 and USB-based malware to breach air-gapped networks. The campaign, dubbed Ruby Jumper, relies on malware deployment.
IFF Assessment
FOE
ScarCruft's new tactics increase the attack surface and potential impact of their operations.
Defender Context
Defenders should monitor for suspicious Zoho WorkDrive activity and implement strict removable media policies. The use of cloud services for C2 and USBs for air-gapped network breaches is becoming increasingly common, requiring layered security approaches.