A recent malware campaign targeting investment companies and diplomatic agencies has shed light on some of the newest practices and tools of reputed North Korean APT group ScarCruft.
While investigating this campaign, researchers from Kaspersky Lab observed a tool for harvesting Bluetooth device data and were able to analyze the group’s multistage binary infection procedure.
ScarCruft, also known as APT37, Group123 and TEMP.Reaper, is closely associated with the remote administration tool ROKRAT, which it uses to conduct cyber espionage. In this campaign, the group’s targets included investment and trading companies based in Vietnam and Russia, both with possible links to North Korea, as well as diplomatic agencies in Hong Kong and North Korea. One Russian victim, which was infected in September 2018, is known to visit North Korea, Kaspersky noted.
“It appears ScarCruft is primarily targeting intelligence for political and diplomatic purposes,” according to a May 13 company blog post from Kaspersky’s GReAT research team.
Perhaps the most interesting find was the Bluetooth device data harvester, which uses Windows Bluetooth APIs to find information on Bluetooth devices connected to the infected host. Kaspersky describes it as a “rare” malware that collects and saves each device’s name, address and class, and whether it is connected, authenticated or remembered.
In their blog post, the Kaspersky researchers also detail StarCruft’s binary infection scheme. The process starts with the creation of an initial dropper, which leverages either the open source assessment tool UACME or an exploit for Windows vulnerability CVE-2018-8120 in order to elevate privilege. This enables the attackers to bypass Windows User Account Control and execute a secondary payload fetched from the command-and-control server.
“In order to evade network level detection, the downloader uses steganography,” the blog post explained. “The downloaded payload is an image file, but it contains an appended malicious payload to be decrypted.”
The malicious payload is the aforementioned ROKRAT, which serves as a backdoor for stealing sensitive information, screenshots and audio recordings from victims. “Upon execution, this malware creates 10 random directory paths and uses them for a specially designated purpose,” the blog post said. “The malware creates 11 threads simultaneously: six threads are responsible for stealing information from the infected host, and five threads are for forwarding collected data to four cloud services.