North Korean hackers install fresh malware program which garners Bluetooth data

A gang of hackers in North Korea, reportedly receiving state sponsorship, recently developed one fresh malware strain which they deployed for garnering information regarding Bluetooth phones bearing a connection with Windows computers. The gang going by the handle ScarCruft and speaking Korean language has been under watch by security researchers who've found that it's developing yet more tools.

ScarCruft is described as one sophisticated persistent threat gang speaking Korean language which security researchers from Kaspersky Lab the security company have been tracking starting no later than 2016. New tools by ScarCruft are undergoing testing by the gang with code which works for identifying Bluetooth phones connected to the PCs for enabling theft of details from the victimized users. The gang, during that period, employed no less that 4 exploits, notable among them a zero-day affecting Adobe Flash for contaminating people situated within India, Nepal, Russia, China, South Korea, Romania and Kuwait.

The discoverer of the malware, Kaspersky Lab explains it's usually installed onto the PCs of victims in the form of second-stage payload within infections that are already active. After getting onto the already contaminated computers, it leverages APIs of Windows Bluetooth for harvesting data from the victimized end-users, particularly the connected Bluetooth phones' names, their classifications, their addresses as also if or not the phone at that time is connected/verified/remembered.

Researchers from Kaspersky Lab further explain that the overlap of threat actors namely ScarCruft with DarkHotel was not new. The two speak Korean language, while their victimology sometimes overlaps. However, both the threat actors appear to be using separate 'tactics, techniques and procedures' (TTPs) while according to the researchers, one gang in practice hangs around behind the other's influence. Arstechnica.com posted this, May 14, 2019.

According to Kaspersky Lab, ScarCruft's foremost attack vectors are spear-phishing e-mails along with different public exploits. After compromising the victim, the assault loads one initial installer that leverages one familiar exploit abusing vulnerability namely CVE-2018-8120 for countering User Account Control on Windows PCs that's done for running the subsequent payload, an installer having escalated rights. This phase links up with the C&C infrastructure for taking further payload.

» SPAMfighter News - 5/22/2019