A Korean-speaking hacking group in operation since not less than 2016 is increasing its arsenal of hacking instruments to incorporate a Bluetooth-device harvester in a transfer that indicators the group’s rising curiosity in cell gadgets.
ScarCruft is a Korean-speaking superior persistent menace group that researchers with safety agency Kaspersky Lab have been following since not less than 2016. On the time, the group was discovered utilizing not less than 4 exploits, together with an Adobe Flash zeroday, to contaminate targets situated in Russia, Nepal, South Korea, China, India, Kuwait, and Romania.
In a put up printed Monday, Kaspersky Lab researchers mentioned they found a customized Bluetooth-device harvester created by ScarCruft. The researchers wrote:
This malware is answerable for stealing Bluetooth-device info. It’s fetched by a downloader and collects info instantly from the contaminated host. This malware makes use of Home windows Bluetooth APIs to seek out info on linked Bluetooth gadgets and saves the next info.
Occasion Identify: Identify of system
Deal with: Deal with of system
Class: Class of the system
Related: Whether or not the system is linked(true or false)
Authenticated: Whether or not the system is authenticated(true or false)
Remembered: Whether or not the system is a remembered system(true or false)
The attackers look like rising the scope of the knowledge collected from victims.
Overlap with DarkHotel
Kaspersky Lab researchers mentioned that a few of the Russia- and Vietnam-based funding and buying and selling corporations contaminated by ScarCruft could have hyperlinks to North Korea. The researchers mentioned ScarCruft additionally attacked a diplomatic company in Hong Kong and one other diplomatic company in North Korea. “It seems ScarCruft is primarily focusing on intelligence for political and diplomatic functions,” the researchers wrote.
One goal from Russia triggered a malware detection alert whereas staying in North Korea. The alert means that it had invaluable details about North Korean affairs. ScarCruft contaminated the goal in September 2018. Earlier than that, nevertheless, the goal had been contaminated by a unique APT group often known as DarkHotel and, earlier than that, a unique piece of malware often known as Konni.
“This isn’t the primary time we’ve seen an overlap of ScarCruft and DarkHotel actors,” Kaspersky Lab researchers wrote. “They’re each Korean-speaking menace actors, and typically their victimology overlaps. However each teams appear to have totally different TTPs (Techniques, Strategies, and Procedures), and it leads us to consider that one group commonly lurks within the different’s shadow.”
ScarCruft infects its targets by means of spearphishing emails and by infecting the web sites they go to and lacing them with exploits. Generally, the exploits are zerodays. In different instances, the group has used public exploit code. The group additionally makes use of a multi-stage an infection course of that finally downloads information from a command and management server. To thwart community defenses, the downloader makes use of steganographic methods that conceal an encrypted payload in a picture file. The ultimate payload installs a backdoor often known as ROKRAT.
Kaspersky’s discovery of the Bluetooth harvester is proof that ScarCruft is constant to develop its capabilities.
“The ScarCruft has proven itself to be a extremely expert and lively group,” Monday’s put up concluded. “It has a eager curiosity in North Korean affairs, attacking these within the enterprise sector who could have any connection to North Korea, in addition to diplomatic companies across the globe. Based mostly on the ScarCruft’s latest actions, we strongly consider that this group is more likely to proceed to evolve.”