ScarCruft threat group continues to cause havoc
Korean-speaking threat actor evolves, creates malware to identify connected Bluetooth devices
ScarCruft, a skilled, Korean-speaking threat actor is testing and creating new tools and techniques, and extending both the range and volume of information collected from victims, Kaspersky Lab has announced.
Researchers with the cybersecurity vendor who have been monitoring the group have discovered that among other things, the group has created code able to identify connected Bluetooth devices.
The ScarCruft advanced persistent threat (APT) is believed to be state-sponsored and usually targets government entities and companies with links to the Korean peninsula, apparently in search of information of political interest. In the latest activity observed by Kaspersky Lab, there are signs that the threat actor is evolving, testing new exploits, developing an interest in data from mobile devices and showing resourcefulness in adapting legitimate tools and services to its cyberespionage operations.
The group’s attacks begin, like those of many other APTs, with either spear-phishing or strategic website compromise - also known as ‘watering-hole’ attacks - using an exploit or other tricks to infect certain visitors.
In ScarCruft’s case, this is followed by a first stage infection able to bypass Windows UAC (User Account Control), which enables it to execute the next payload with higher privileges using code normally deployed within organizations for legitimate penetration testing purposes. In order to evade detection at the network level, the malware uses steganography, hiding the malicious code in an image file. The final stage of infection involves the installation of a cloud service-based backdoor known as ROKRAT. The backdoor gathers up a wide range of information from victim systems and devices, and can forward it to four cloud services: Box, Dropbox, pCloud and Yandex.Disk.
Kaspersky Lab’s researchers uncovered an interest in stealing data from mobile devices, as well as malware that fingerprints Bluetooth devices using the Windows Bluetooth API.
Based on telemetry data, victims of this campaign include investment and trading companies in Vietnam and Russia that may have links to North Korea, and diplomatic entities in Hong Kong and North Korea. One Russia-based victim infected by ScarCruft was found to have been previously hit by the Korean-speaking DarkHotel group.
“This is not the first time we have seen ScarCruft and DarkHotel overlap. They have similar interests in terms of targets, but very different tools, techniques and processes. This leads us to believe that one group regularly lurks in the shadow of the other. ScarCruft is cautious and likes to keep a low profile, but it has shown itself to be a highly-skilled and active group, with considerable resourcefulness in the way it develops and deploys tools. We strongly believe that it will continue to evolve,” said Seongsu Park, senior security researcher, Global Research and Analysis Team, Kaspersky Lab.
All Kaspersky Lab products successfully detect and block this threat, the company said.