International Asia New malware uses Bluetooth to steal information from victims

New malware uses Bluetooth to steal information from victims

Its main targets are government entities and organisations doing business in the Korean peninsula

Author

Date

Category

- Advertisement -

Researchers monitoring the Korean-speaking state-sponsored group of ‘threat actors’ called ScarCruft say they have discovered a new malware being developed by the group using codes that can identify connected Bluetooth devices making it easier to steal information from the targeted victims.

Kaspersky Lab says ScarCruft is testing tools using code that can identify connected Bluetooth devices such as smart phones and the main targets are government entities and organisations doing business in the Korean peninsula.

ScarCruft is also known as an advanced persistent threat (APT) and it is evolving with evidence suggesting the APT has been delving into the mobile device territory and is testing new exploits that indicate a particular resourcefulness. The group has adapted legitimate tools and services, adding those to its cyber-espionage operations.

ScarCruft is changing up its espionage tactics to include an unusual piece of malware devoted to harvesting Bluetooth information – while also showing some overlap with the DarkHotel APT.

- Advertisement -

An analysis of ScarCruft’s binary infection procedure by Kaspersky Lab shows that in a campaign that continued over the course of 2018, the group used a multi-stage process to update each of its malware modules effectively while also evading detection.

The researchers said that spear-phishing and the use of various public exploits remain ScarCruft’s go-to initial attack vectors.

Once the victim is compromised, the attack installs an initial dropper which uses a known exploit for CVE-2018-8120 to bypass Windows User Account Control in order to execute the next payload, a downloader, with higher privileges.

This stage connects with the command-and-control or C2 server to grab the next payload, which is hidden in an image using steganography.

“The downloaded payload is an image file, but it contains an appended malicious payload to be decrypted,” Kaspersky Lab researchers said, in a posting on Monday.

That payload is a full-featured backdoor and information exfiltration remote access trojan (RAT) known as ROKRAT. The malware can download additional payloads, execute Windows commands, save screenshots and audio recordings, and exfiltrate files.-/TISGFollow us on Social Media

Send in your scoops to news@theindependent.sg 

- Advertisement -

‘Go back, bloody Indians,’ says S’porean man to expat family at Pasir Ris Beach Park

Singapore – A man who repeated he was Singaporean and an NS (National Service) man was spotted accusing an expatriate family of four of spreading the Covid-19 virus in Singapore. A video of the altercation, reported to have occurred on May 2,...

Ho Ching explains to Calvin Cheng why S’pore is vaccinating slowly

Singapore – Information on why Singapore has not been able to vaccinate fast enough was highlighted by former Nominated Member of Parliament Calvin Cheng on social media. Mr Cheng took to Facebook on Sunday (May 9) to share screenshots of a Facebook...

Nearly 10,000 take umbrage at Ng Yat Chung and sign petition calling for his dismissal

Singapore -- Almost 10,000 people have taken umbrage at SPH CEO Ng Yat Chung’s “boorish behaviour” and have signed a petition calling for his dismissal. Singapore Press Holdings (SPH) Chief Executive Officer (CEO) Ng Yat Chung took “umbrage” at a reporter's questions...
Follow us on Social Media

Send in your scoops to news@theindependent.sg 

Theindependent