ScarCruft: Korean-speaking threat actor evolves, creates malware to identify connected Bluetooth devices

Kaspersky Lab researchers monitoring the highly skilled, Korean-speaking threat actor ScarCruft, have discovered that the group is creating new tools, such as code that can identify connected Bluetooth devices, to collect vast amounts of information from its targets. Company researchers have also observed an overlap among victims of ScarCruft’s latest threat campaigns and victims of the notorious Korean-speaking DarkHotel group.

The ScarCruft advanced persistent threat (APT) is believed to be state-sponsored and usually targets government entities and companies with links to the Korean peninsula, likely searching for information of political interest. In the latest activity observed by Kaspersky Lab, there are signs that this threat actor is evolving, testing new exploits, developing an interest in data from mobile devices, and showing resourcefulness in adapting legitimate tools and services to its cyberespionage operations.

Like the attacks of many other APTs, ScarCruft’s attacks begin with either spear-phishing or strategic website compromise – also known as ‘watering-hole’ attacks – using an exploit or other tricks to infect certain visitors. This is followed by a first stage infection able to bypass Windows User Account Control, which enables it to execute the next payload with higher privileges using code normally deployed within organizations for legitimate penetration testing purposes. In order to evade detection at the network level, the malware uses steganography, hiding the malicious code in an image file.

The final stage of infection involves the installation of a cloud service-based backdoor, known as ROKRAT. The backdoor gathers up a wide range of information from victim systems and devices, and can forward it to four cloud services: Box, Dropbox, pCloud and Yandex.Disk.

Kaspersky Lab’s research revealed ScarCruft’s interest in stealing data from mobile devices. The company also discovered malware that the group created which fingerprints Bluetooth devices using the Windows Bluetooth API.

Based on telemetry data, victims of this campaign include investment and trading companies in Vietnam and Russia that may have links to North Korea, and diplomatic entities in Hong Kong and North Korea. One Russia-based victim infected by ScarCruft was found to have been previously hit by the Korean-speaking DarkHotel group.

“This is not the first time we have seen ScarCruft and DarkHotel overlap,” said Seongsu Park, senior security researcher, Kaspersky Lab Global Research and Analysis Team. “They have similar interests in terms of targets, but very different tools, techniques and processes. This leads us to believe that one group regularly lurks in the shadow of the other. ScarCruft is cautious and likes to keep a low profile, but it has shown itself to be a highly-skilled and active group, with considerable resourcefulness in the way it develops and deploys tools. We strongly believe that it will continue to evolve.”

All Kaspersky Lab products successfully detect and block this threat.

In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky Lab researchers recommend the following measures:

• Provide your SOC team with access to the latest Threat Intelligence, to keep up to date with the new and emerging tools, techniques and tactics used by threat actors and cybercriminals.
• For endpoint level detection, investigation and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response.
• In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.
• As many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills, for example through the Kaspersky Automated Security Awareness Platform.

Further information on the latest activity of ScarCruft can be found on Securelist.