15 May 2019

North Korea-Linked ScarCruft APT developed a new tool that harvests Bluetooth data

North Korea-Linked ScarCruft APT developed a new tool that harvests Bluetooth data

A North Korea-linked threat group tracked as ScarCruft, APT37 and Group123 that is believed to be working on behalf of the North Korean government continues to evolve and expand its arsenal. The latest addition to ScarCruft’s toolkit is what researchers described as a “rare” Bluetooth device harvester designed to steal information from the devices connected via Bluetooth to the compromised machine.

According to the report from cybersecurity outfit Kaspersky Lab, which is tracking the group since 2016, the malware uses Windows Bluetooth APIs to find information on connected Bluetooth devices and saves various data such as name, class and address of the device, and whether the device is connected, authenticated or is a remembered device.

The researchers have identified several victims of this campaign - investment and trading companies in Vietnam and Russia. Some of that organizations are believed to have ties to the North Korea, which may be a reason why ScarCruft decided to monitor them. Furthermore, StarCruft also attacked diplomatic agencies in Hong Kong and North Korea.

“It appears ScarCruft is primarily targeting intelligence for political and diplomatic purposes”, the researchers said.

Kaspersky has also found some overlaps with another hacker group tracked as DarkHotel and KONNI. In particular, one Russia-based victim targeted by ScarCruft was previously compromised with the GreezeBackdoor and KONNI malware belonging to the DarkHotel.

“This is not the first time we have seen ScarCruft and DarkHotel overlap. They have similar interests in terms of targets, but very different tools, techniques and processes. This leads us to believe that one group regularly lurks in the shadow of the other. ScarCruft is cautious and likes to keep a low profile, but it has shown itself to be a highly-skilled and active group, with considerable resourcefulness in the way it develops and deploys tools. We strongly believe that it will continue to evolve”. concluded the researchers.

Back to the list

Latest Posts

New Mirai variant utilises 13 different exploits to attack more routers and video recording devices

New Mirai variant utilises 13 different exploits to attack more routers and video recording devices

This marks the first time when all of them have been used in a single campaign together.
24 May 2019
Researchers shed some light on commands used by Zebrocy toolkit

Researchers shed some light on commands used by Zebrocy toolkit

Malware operators run commands manually to collect a vast amount of data from infected systems.
23 May 2019
Malware sample uploaded to VirusTotal linked to ongoing APT28 attack

Malware sample uploaded to VirusTotal linked to ongoing APT28 attack

The attacks have been linked to a cyber espionage group APT28.
22 May 2019
Featured vulnerabilities
Privilege escalation in libvirt
Low Patched | 24 May, 2019
Multiple vulnerabilities in OpenEMR
Medium Patched | 23 May, 2019
CSRF in WP Open Graph plugin for WordPress
Medium Patched | 23 May, 2019
Multiple vulnerabilities in cURL
High Patched | 23 May, 2019