15 May 2019

North Korea-Linked ScarCruft APT developed a new tool that harvests Bluetooth data

North Korea-Linked ScarCruft APT developed a new tool that harvests Bluetooth data

A North Korea-linked threat group tracked as ScarCruft, APT37 and Group123 that is believed to be working on behalf of the North Korean government continues to evolve and expand its arsenal. The latest addition to ScarCruft’s toolkit is what researchers described as a “rare” Bluetooth device harvester designed to steal information from the devices connected via Bluetooth to the compromised machine.

According to the report from cybersecurity outfit Kaspersky Lab, which is tracking the group since 2016, the malware uses Windows Bluetooth APIs to find information on connected Bluetooth devices and saves various data such as name, class and address of the device, and whether the device is connected, authenticated or is a remembered device.

The researchers have identified several victims of this campaign - investment and trading companies in Vietnam and Russia. Some of that organizations are believed to have ties to the North Korea, which may be a reason why ScarCruft decided to monitor them. Furthermore, StarCruft also attacked diplomatic agencies in Hong Kong and North Korea.

“It appears ScarCruft is primarily targeting intelligence for political and diplomatic purposes”, the researchers said.

Kaspersky has also found some overlaps with another hacker group tracked as DarkHotel and KONNI. In particular, one Russia-based victim targeted by ScarCruft was previously compromised with the GreezeBackdoor and KONNI malware belonging to the DarkHotel.

“This is not the first time we have seen ScarCruft and DarkHotel overlap. They have similar interests in terms of targets, but very different tools, techniques and processes. This leads us to believe that one group regularly lurks in the shadow of the other. ScarCruft is cautious and likes to keep a low profile, but it has shown itself to be a highly-skilled and active group, with considerable resourcefulness in the way it develops and deploys tools. We strongly believe that it will continue to evolve”. concluded the researchers.

Back to the list

Latest Posts

Ke3chang APT targets diplomatic missions in Slovakia and South America with new Okrum malware

Ke3chang APT targets diplomatic missions in Slovakia and South America with new Okrum malware

Okrum’ functionality includes only basic backdoor commands, such as downloading and uploading files, executing files and shell commands.
19 July 2019
StrongPity APT deploys malicious versions of WinBox and WinRAR in ongoing attacks

StrongPity APT deploys malicious versions of WinBox and WinRAR in ongoing attacks

StrongPity group has come up with new malware, which is now targeting users located in Turkey.
18 July 2019
“Agent Smith” malware infected more than 25 million Android devices

“Agent Smith” malware infected more than 25 million Android devices

The malware leverages known Android exploits and automatically replaces installed apps with malicious clones without users’ knowledge or interaction.
15 July 2019
Featured vulnerabilities
Cross-site scripting in FortiNAC webUI
Low Patched | 19 Jul, 2019
Multiple vulnerabilities in Cybozu Garoon
Medium Patched | 18 Jul, 2019
Security restrictions bypass in Drupal
High Patched | 18 Jul, 2019