15 May 2019

North Korea-Linked ScarCruft APT developed a new tool that harvests Bluetooth data


North Korea-Linked ScarCruft APT developed a new tool that harvests Bluetooth data

A North Korea-linked threat group tracked as ScarCruft, APT37 and Group123 that is believed to be working on behalf of the North Korean government continues to evolve and expand its arsenal. The latest addition to ScarCruft’s toolkit is what researchers described as a “rare” Bluetooth device harvester designed to steal information from the devices connected via Bluetooth to the compromised machine.

According to the report from cybersecurity outfit Kaspersky Lab, which is tracking the group since 2016, the malware uses Windows Bluetooth APIs to find information on connected Bluetooth devices and saves various data such as name, class and address of the device, and whether the device is connected, authenticated or is a remembered device.

The researchers have identified several victims of this campaign - investment and trading companies in Vietnam and Russia. Some of that organizations are believed to have ties to the North Korea, which may be a reason why ScarCruft decided to monitor them. Furthermore, StarCruft also attacked diplomatic agencies in Hong Kong and North Korea.

“It appears ScarCruft is primarily targeting intelligence for political and diplomatic purposes”, the researchers said.

Kaspersky has also found some overlaps with another hacker group tracked as DarkHotel and KONNI. In particular, one Russia-based victim targeted by ScarCruft was previously compromised with the GreezeBackdoor and KONNI malware belonging to the DarkHotel.

“This is not the first time we have seen ScarCruft and DarkHotel overlap. They have similar interests in terms of targets, but very different tools, techniques and processes. This leads us to believe that one group regularly lurks in the shadow of the other. ScarCruft is cautious and likes to keep a low profile, but it has shown itself to be a highly-skilled and active group, with considerable resourcefulness in the way it develops and deploys tools. We strongly believe that it will continue to evolve”. concluded the researchers.

Back to the list

Latest Posts

WordPress ThemeREX plugin flaw is being actively exploited to create rogue admin accounts

WordPress ThemeREX plugin flaw is being actively exploited to create rogue admin accounts

The flaw in the ThemeREX Addons plugin can be used to remotely execute code on websites.
20 February 2020
Chinese-linked hackers employ two new backdors in attacks on gambling and betting companies in Southeast Asia

Chinese-linked hackers employ two new backdors in attacks on gambling and betting companies in Southeast Asia

DRBControl group's malware and operational tactics overlap with similar tools and tactics used by Winnti and Emissary Panda hackers.
20 February 2020
Iranian hacking campaign backdoors corporate networks via enterprise VPN servers

Iranian hacking campaign backdoors corporate networks via enterprise VPN servers

The campaign is believed to be the effort of three Iran-linked APT groups - APT33, APT34 and APT39.
20 February 2020