ScarCruft: Korean-speaking threat actor evolves, creates malware to identify connected Bluetooth devices
Kaspersky Lab researchers monitoring the activity of ScarCruft, a skilled, Korean-speaking threat actor have discovered that the group is testing and creating new tools and techniques, and extending both the range and volume of information collected from victims. Among other things, the group has created code able to identify connected Bluetooth devices.
The ScarCruft advanced persistent threat (APT) is believed to be state-sponsored and usually targets government entities and companies with links to the Korean peninsula, apparently in search of information of political interest. In the latest activity observed by Kaspersky Lab, there are signs that the threat actor is evolving, testing new exploits, developing an interest in data from mobile devices and showing resourcefulness in adapting legitimate tools and services to its cyber espionage operations.
The group’s attacks begin, like those of many other APTs, with either spear-phishing or strategic website compromise – also known as ‘watering-hole’ attacks – using an exploit or other tricks to infect certain visitors.
In ScarCruft’s case, this is followed by a first stage infection able to bypass Windows UAC (User Account Control), which enables it to execute the next payload with higher privileges using code normally deployed within organizations for legitimate penetration testing purposes. In order to evade detection at the network level, the malware uses steganography, hiding the malicious code in an image file. The final stage of infection involves the installation of a cloud service-based backdoor known as ROKRAT. The backdoor gathers up a wide range of information from victim systems and devices and can forward it to four cloud services: Box, Dropbox, pCloud and Yandex.Disk.
Kaspersky Lab’s researchers uncovered an interest in stealing data from mobile devices, as well as malware that fingerprints Bluetooth devices using the Windows Bluetooth API.
Based on telemetry data, victims of this campaign include investment and trading companies in Vietnam and Russia that may have links to North Korea and diplomatic entities in Hong Kong and North Korea. One Russia-based victim infected by ScarCruft was found to have been previously hit by the Korean-speaking DarkHotel group.
“This is not the first time we have seen ScarCruft and DarkHotel overlap. They have similar interests in terms of targets, but very different tools, techniques and processes. This leads us to believe that one group regularly lurks in the shadow of the other. ScarCruft is cautious and likes to keep a low profile, but it has shown itself to be a highly-skilled and active group, with considerable resourcefulness in the way it develops and deploys tools. We strongly believe that it will continue to evolve,” said Seongsu Park, senior security researcher, Global Research and Analysis Team, Kaspersky Lab.
All Kaspersky Lab products successfully detect and block this threat.
In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky Lab researchers recommend implementing the following measures:
- Provide your SOC team with access to the latest Threat Intelligence, to keep up to date with the new and emerging tools, techniques and tactics used by threat actors and cybercriminals.
- For endpoint level detection, investigation and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response.
- In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.
- As many targeted attacks start with phishing or other social engineering technique, introduce security awareness training and teach practical skills, for example through the Kaspersky Automated Security Awareness Platform.
Further information on the latest activity of ScarCruft can be found on Securelist.