ScarCruft: Korean-speaking threat actor evolves, creates malware to identify connected Bluetooth devices

Kaspersky Lab researchers monitoring the activity of ScarCruft, a skilled, Korean-speaking threat actor have discovered that the group is testing and creating new tools and techniques, and extending both the range and volume of information collected from victims. Among other things, the group has created a code that is able to identify connected Bluetooth devices.

The ScarCruft advanced persistent threat (APT) is believed to be state-sponsored and usually targets government entities and companies with links to the Korean peninsula, apparently in search of information of political interest. In the latest activity observed by Kaspersky Lab, there are signs that the threat actor is evolving, testing new exploits, developing an interest in data from mobile devices and showing resourcefulness in adapting legitimate tools and services to its cyber espionage operations.

In ScarCruft’s case, this is followed by a first stage infection able to bypass Windows UAC (User Account Control), which enables it to execute the next payload with higher privileges using code normally deployed within organizations for legitimate penetration testing purposes.
In order to evade detection at the network level, the malware uses steganography, hiding the malicious code in an image file. The final stage of infection involves the installation of a cloud service-based backdoor known as ROKRAT. The backdoor gathers up a wide range of information from victim systems and devices and can forward it to four cloud services: Box, Dropbox, pCloud and Yandex.Disk.