ScarCruft Introduces Bluetooth Harvester

According to researchers at Kaspersky Labs a Korean-speaking hacker group called ScarCruft, which is alleged to be a state-sponsored advanced persistent threat (APT) group, has increased its cyber-espionage ability by including a Bluetooth harvesting module within its current arsenal of cyber weapons. The group is known for targeting organizations and companies with links to the Korean peninsula and is known to use common techniques such as spear phishing and strategic web compromises to carry out campaigns. The latter technique, strategic web compromises sometimes also referred to as watering-hole attacks, where the attacker compromises a carefully selected website by inserting an exploit resulting in malware infection.

Kaspersky has been tracking ScarCruft activity since 2016 with what was termed Operation Daybreak where the group used a zero-day exploit to begin the process of infecting victims with malware. The malware traditionally is installed in a multi-stage process designed to bypass Windows UAC (User Account Control) in order to execute the next payload with higher privileges. The next step in the infection process occurs when the malware creates a downloader and a configuration file from its resource and executes it. The downloader malware uses the configuration file and connects to the command and control server to fetch the next payload. One of the key features of the malware is one of the methods it uses to avoid detection. The downloaded malware comes in the form of an image file with malicious code hidden within.

What has interested researchers is that the malware package now includes a module designed to harvest data from Bluetooth enabled devices.

scarcruft introduces bluetooth harvester

In Kaspersky’s latest report the Bluetooth harvester is fetched by a downloader and collects information directly from the infected host. This malware uses Windows Bluetooth APIs to find information on connected Bluetooth devices and saves the following information:

  • Name of the device
  • Address of the device
  • Class of the device
  • Whether the device is connected or not
  • Whether the device is authenticated or not
  • Whether the device is a remembered device or not.

It is believed that this update drastically increases the scope of information and data that can be stolen by the group. Currently, the latest version of the ScarCruft malware is been deployed against targets situated within the Korean peninsula. The targets include investment and trading companies in Vietnam and Russia as well as a diplomatic agency in Hong Kong, and another diplomatic agency in North Korea. It can be safely assumed that information stolen is been used for both political and diplomatic intelligence. It was further discovered by researchers that one victim who resides in Russia triggered a malware detection while staying in North Korea in the past. The fact that this victim visits North Korea makes it special and suggests that it may have valuable information about North Korean affairs.

Overlap with DarkHotel

The Russian victim who had visited North Korea was infected by ScarCruft on September 21, 2018, however, another APT group also targeted this victim with the host being infected with GreezeBackdoor on March 26, 2018. The latter malware infection is known to be a tool of another APT group DarkHotel. Further, the victim was also infected with the Konni malware shortly after the GreezeBackdoor. Konni was disguised as a North Korean news item in weaponized documents with the name of the document being “Why North Korea slams South Korea’s recent defense talks with U.S-Japan.zip”. To researchers, this suggested a potential overlap in activities with DarkHotel and ScarCruft with interesting implications. This overlap has been explored previously by researchers working for Kaspersky Lab’s, according to a white paper compiled by   Costin Raiu and Juan Andrés Guerrero-Saade is was stated that,

“According to our telemetry, DarkHotel’s Operation Daybreak links were used as early as April 2016; ScarCruft’s Operation Erebus links were first used in attacks on 26 May 2016. This suggests the possibility that the ScarCruft actor may have observed the DarkHotel attacks. They succeeded in breaching the same website and used it for another set of attacks on 26 May. The hacked site overlap was enough to trick us (and other researchers) into believing that ScarCruft and DarkHotel were the same threat actor, and thereby that Operation Erebus and Operation Daybreak were launched by the same actor.”

After further investigation it was discovered that that was not one in the same threat actor, stating that,

“Focusing on TTPs and victim tasking is useful in further disambiguating the two threat actors…DarkHotel’s Operation Daybreak…relied on spear-phishing emails served to victims in the geographical focus illustrated in Figure 4: predominantly targeting Chinese victims with a Flash Player zero-day. Meanwhile, ScarCruft’s
Operation Erebus focused primarily on South Korea.”

This instance of an overlap illustrates the difficulty the researcher’s face in attributing who is responsible for cyber attack campaigns. One of the reasons ScarCruft may adopt similar tactics to DarkHotel, or piggyback on DarkHotel infections, is that the attacker can hide behind the overlap and prevent detection. By confusing the researcher as to the tactics used could lead the researcher to look for known indicators of compromise for the piggybacked group but not the one overlapping. With all the evidence Kaspersky Labs has uncovered it has led researchers to conclude that ScarCruft has shown itself to be a highly-skilled and active group with a keen interest in North Korean affairs, attacking those in the business sector who may have any connection to North Korea, as well as diplomatic agencies around the globe. Future campaigns with further evolved malware are to be expected by the group.