A North Korea-linked threat group tracked as ScarCruft, APT37 and Group123 that is believed to be working on behalf of the North Korean government continues to evolve and expand its arsenal. The latest addition to ScarCruft’s toolkit is what researchers described as a “rare” Bluetooth device harvester designed to steal information from the devices connected via Bluetooth to the compromised machine.

According to the report from cybersecurity outfit Kaspersky Lab, which is tracking the group since 2016, the malware uses Windows Bluetooth APIs to find information on connected Bluetooth devices and saves various data such as name, class and address of the device, and whether the device is connected, authenticated or is a remembered device.

The researchers have identified several victims of this campaign - investment and trading companies in Vietnam and Russia. Some of that organizations are believed to have ties to the North Korea, which may be a reason why ScarCruft decided to monitor them. Furthermore, StarCruft also attacked diplomatic agencies in Hong Kong and North Korea.

“It appears ScarCruft is primarily targeting intelligence for political and diplomatic purposes”, the researchers said.

Kaspersky has also found some overlaps with another hacker group tracked as DarkHotel and KONNI. In particular, one Russia-based victim targeted by ScarCruft was previously compromised with the GreezeBackdoor and KONNI malware belonging to the DarkHotel.

“This is not the first time we have seen ScarCruft and DarkHotel overlap. They have similar interests in terms of targets, but very different tools, techniques and processes. This leads us to believe that one group regularly lurks in the shadow of the other. ScarCruft is cautious and likes to keep a low profile, but it has shown itself to be a highly-skilled and active group, with considerable resourcefulness in the way it develops and deploys tools. We strongly believe that it will continue to evolve”. concluded the researchers.