ScarCruft, An Anti-North Korean Hacking Team
Malware authors continue to find ways to operate at a more sophisticated level, especially Advanced Persistent Threats (APT). Known as ScarCruft team, as exposed by Kaspersky Lab for establishing espionage campaigns using Bluetooth exploits. ScarCruft focuses its attention with breaking into smartphones of government officials and businessmen operating in the Korean peninsula through Bluetooth. The operation apparently started in 2018, with the use of a specially designed modular malware, composed of many modules in its goal of evading detection.
A Windows-based operation also exists, where espionage takes place once the group establishes a connection to the target server and weaponized a tool that exploits CVE-2018-8120 in order to render the Windows Account Control useless.“The final payload created by the aforementioned process is a well known backdoor, also known as ROKRAT by Cisco Talos. This cloud service-based backdoor contains many features. One of its main functions is to steal information. Upon execution, this malware creates 10 random directory paths and uses them for a specially designated purpose. The malware creates 11 threads simultaneously: six threads are responsible for stealing information from the infected host, and five threads are for forwarding collected data,” explained Kaspersky Labs in their official blog.
The Windows version of the malware is a full-fledged backdoor suite, capable of connecting with its command and control server. The C&C once receiving the new information instructs the malware to gather information based on the author’s chosen parameters, while keeping the code updated remotely by the malware author, useful for bypassing antimalware software. With system-level access, the malware can execute Windows-supported commands, especially taking advantage of the PowerShell features that can keep itself from being deleted after a system reboot.
Once a persistent infection is established, the malware will then download a Bluetooth harvester module which will probe all mobile devices that connects to the Windows PC. It will then have the man-in-the-middle capabilities, deliberately checking the information that flows between the infected PC and the mobile device, mostly for espionage purposes. “We also discovered an interesting piece of rare malware created by this threat actor – a Bluetooth device harvester. This malware is responsible for stealing Bluetooth device information. It is fetched by a downloader, and collects information directly from the infected host. This malware uses Windows Bluetooth APIs to find information on connected Bluetooth,” added Kaspersky Labs.
The researchers have no conclusive evidence that the ScarCruft team is associated with North Korea, given that the hermit country’s diplomatic agency was also a victim. A Hong Kong government diplomatic agency which has strong ties with North Korea was also reported of falling for the same espionage campaign. An unnamed public agency in Russia also had signs of malware infection that were similar to the one reported by the Hong Kong and North Korean agencies, showing the threat actor’s motivation to focus their campaign against someone connected with diplomatic ties between the mentioned nations.
“The ScarCruft has shown itself to be a highly-skilled and active group. It has a keen interest in North Korean affairs, attacking those in the business sector who may have any connection to North Korea, as well as diplomatic agencies around the globe. Based on the ScarCruft’s recent activities, we strongly believe that this group is likely to continue to evolve,” concluded Kaspersky Labs.
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.