ScarCruft APT Group Targets Bluetooth With Malware: ReportKaspersky Lab Says Korean-Speaking Group Expanding Its Arsenal
ScarCruft, a Korean-speaking advanced persistent threat group that has mainly targeted organizations in Southeast Asia over the last three years, is steadily increasing its malware arsenal and devising new techniques for spying as well as stealing data, according to a new analysis by Kaspersky Lab.
The group has developed a "Bluetooth harvester," rare malware that could potentially collect and steal data from connected devices. Kaspersky analysts say the malware is in the early development stages and has not been spotted in the wild.
"The code relating to Bluetooth can identify the devices, but this tool is in the early stages and not yet able to exploit or steal data direct from the Bluetooth device," Seongsu Park, a senior security researcher with Kaspersky Lab who worked on the analysis, tells Information Security Media Group.
The fact that ScarCruft, which has not been tied to a specific nation-state sponsor, is attempting to develop these and other tools shows how ambitious the group has become, the analysis finds. Research also shows the APT group, which initially targeted organizations on the Korean peninsula, is expanding its list of targets to include investment and trading companies in Vietnam and Russia as well as a diplomatic agency in Hong Kong.
"ScarCruft has only targeted very high-profile individuals, companies or organizations," Park says. "ScarCruft has an interest in North Korean affairs. They usually attack individuals or employees who are related to the Korean peninsula."
Concerns Over Bluetooth
The Kaspersky report, released Monday, offers several new details about ScarCruft's evolution over the past three years and its efforts to deploy more complex and malicious tools as part of its spying operations.
ScarCruft, which is also called Reaper and Group 123, first came to researchers' attention in 2016 for a zero-day exploit aimed at Adobe Flash called "Operation Daybreak" (see: Adobe Flings Flash Fix for Fresh APT Target).
In the three years since then, ScarCruft has started to take advantage of more publicly available software exploits to penetrate networks and create backdoors for spying as well as stealing data. "We witnessed this actor extensively testing a known public exploit during its preparation for the next campaign," Park says.
The APT group, however, has also developed a taste for creating its own tools and techniques. It's interest in taking advantage of Bluetooth is one example.
The Bluetooth harvester technique would bring the group's activities to a new level, Kaspersky notes. The malware is designed to take advantage of Windows Bluetooth APIs and has the potential to identify devices and collect the name of the device as well as its address, its class and whether the device is connected, authenticated and remembered, the report notes.
This focus on targeting mobile devices is only one part of the group's activity.
Kaspersky researchers have also observed the group's other operations, which typically start with a spear-phishing attack. Once the attackers have gained a foothold in the network, a dropper is deployed that can bypass Windows' User Account Control, and this leads to the execution of the next payload, the researchers say.
That payload takes advantage of UACMe, an open source assessment tool used in legitimate penetration testing, to escalate privileges within the network, the research shows. The group also deploys another downloader that uses steganography to hide additional malware within an image file (see: The Rise of Self-Concealing Steganography).
The final stage is to install Rokrat, a well-known backdoor used to steal data and send it back to a command-and-control server. It can also executive Windows commands and save audio files as well as screenshots of the infected systems, the Kaspersky research shows. This backdoor was first discovered by researchers at Cisco Talos in 2017.
Ties to DarkHotel
As part of their research, the Kaspersky team also found that ScarCruft uses some of the same malware as another Korean-speaking APT group called DarkHotel. Both groups have used malicious software called GreezeBackdoor and Konni against the same Russian target, Kaspersky notes.
DarkHotel, which has been active since at least 2010, gets its name from following targets from hotel to hotel as they travel around the world by compromising the networks of these lodgings, according to Kaspersky.
It's not clear if the two APT groups are connected, are rivals or simply have interest in the same victims, Park says.
"Both ScarCruft and DarkHotel are Korean-speaking threat actors and sometimes their victimology overlaps," Park says. "They have used the same compromised command and control server before. But both groups seem to have different TTPs [tactics, techniques and procedures], and it leads us to believe that one group regularly lurks in the other's shadow, although we don't know exactly who is following whom."