Researchers monitoring the Korean-speaking state-sponsored group of ‘threat actors’ called ScarCruft say they have discovered a new malware being developed by the group using codes that can identify connected Bluetooth devices making it easier to steal information from the targeted victims.
Kaspersky Lab says ScarCruft is testing tools using code that can identify connected Bluetooth devices such as smart phones and the main targets are government entities and organisations doing business in the Korean peninsula.
ScarCruft is also known as an advanced persistent threat (APT) and it is evolving with evidence suggesting the APT has been delving into the mobile device territory and is testing new exploits that indicate a particular resourcefulness. The group has adapted legitimate tools and services, adding those to its cyber-espionage operations.
ScarCruft is changing up its espionage tactics to include an unusual piece of malware devoted to harvesting Bluetooth information – while also showing some overlap with the DarkHotel APT.
An analysis of ScarCruft’s binary infection procedure by Kaspersky Lab shows that in a campaign that continued over the course of 2018, the group used a multi-stage process to update each of its malware modules effectively while also evading detection.
The researchers said that spear-phishing and the use of various public exploits remain ScarCruft’s go-to initial attack vectors.
Once the victim is compromised, the attack installs an initial dropper which uses a known exploit for CVE-2018-8120 to bypass Windows User Account Control in order to execute the next payload, a downloader, with higher privileges.
This stage connects with the command-and-control or C2 server to grab the next payload, which is hidden in an image using steganography.
“The downloaded payload is an image file, but it contains an appended malicious payload to be decrypted,” Kaspersky Lab researchers said, in a posting on Monday.
That payload is a full-featured backdoor and information exfiltration remote access trojan (RAT) known as ROKRAT. The malware can download additional payloads, execute Windows commands, save screenshots and audio recordings, and exfiltrate files.-/TISG