International Asia New malware uses Bluetooth to steal information from victims

New malware uses Bluetooth to steal information from victims

Its main targets are government entities and organisations doing business in the Korean peninsula




- Advertisement -

Researchers monitoring the Korean-speaking state-sponsored group of ‘threat actors’ called ScarCruft say they have discovered a new malware being developed by the group using codes that can identify connected Bluetooth devices making it easier to steal information from the targeted victims.

Kaspersky Lab says ScarCruft is testing tools using code that can identify connected Bluetooth devices such as smart phones and the main targets are government entities and organisations doing business in the Korean peninsula.

ScarCruft is also known as an advanced persistent threat (APT) and it is evolving with evidence suggesting the APT has been delving into the mobile device territory and is testing new exploits that indicate a particular resourcefulness. The group has adapted legitimate tools and services, adding those to its cyber-espionage operations.

ScarCruft is changing up its espionage tactics to include an unusual piece of malware devoted to harvesting Bluetooth information – while also showing some overlap with the DarkHotel APT.

- Advertisement -

An analysis of ScarCruft’s binary infection procedure by Kaspersky Lab shows that in a campaign that continued over the course of 2018, the group used a multi-stage process to update each of its malware modules effectively while also evading detection.

The researchers said that spear-phishing and the use of various public exploits remain ScarCruft’s go-to initial attack vectors.

Once the victim is compromised, the attack installs an initial dropper which uses a known exploit for CVE-2018-8120 to bypass Windows User Account Control in order to execute the next payload, a downloader, with higher privileges.

This stage connects with the command-and-control or C2 server to grab the next payload, which is hidden in an image using steganography.

“The downloaded payload is an image file, but it contains an appended malicious payload to be decrypted,” Kaspersky Lab researchers said, in a posting on Monday.

That payload is a full-featured backdoor and information exfiltration remote access trojan (RAT) known as ROKRAT. The malware can download additional payloads, execute Windows commands, save screenshots and audio recordings, and exfiltrate files.-/TISG

Send in your scoop to 

- Advertisement -

2 teens arrested in connection with jewellery theft

A pair of teenagers were arrested on Monday (22 Feb), in connection with a jewellery theft from a store in Woodlands. Both the teenagers are 17 years old. The Singapore Police Force (SPF) confirmed that they received a report around 5.45pm on...

Woman says her housekeeper mum encounters “thoughtless” guests who trash hotel rooms

The daughter of a hotel housekeeper took to social media to urge people to be more considerate when they check into a hotel. She shared some of her mother's bad experiences with "thoughtless" and inconsiderate hotel guests. In a Facebook post on...

Almost 8 out of 10 vote PN can’t survive GE 15 without UMNO

Almost eight out of 10 respondents on a Twitter survey voted that Bersatu will not survive GE-15 without UMNO, according to BFM radio survey held this morning (22/2/2021) during its Morning Run programme. Of the 206 voters (respondents) in the final countdown,...

Send in your scoop to