ScarCruft, a hacker group from North Korea has found to use a new infiltration device, i.e. the Bluetooth harvesting tool that allows them to get various sensitive details from the compromised computer. These professional hackers group seemingly to be highly experienced one known by different alternatives such as APT37, Reaper or Group123 has been active at least 2012 and their actions first noticed in 2016.
By so far, ScarCruft main targets was high profile targets such as government, media and military organizations in South Korean. Such attacks have detected and after being analyzed concluded that it fits in three criteria:
- The North Korean IP is being used by the attackers
- Malware’s complication timestamps correspond to North Korean time zone.
- Objective aligns to the North Korean Government
The past attacks used zero day vulnerabilities or Trojan. The campaigns were done against Japan, Vietnam and Middle East.
What new in the trend; Bluetooth device harvester is in use
A new sophisticated Bluetooth device harvester – new campaigns on the trend- set against the high profile targets – a diplomatic agency from Hong Kong and that of in North Korea is the latest onset the attacks. The malware takes the help of Bluetooth to get the sensitive details from a device. After infiltrating the malware Bluetooth harvester is delivered to the device through a privilege escalation bug or via UAC bypass. Here, the brief details about the bug CVE-2018-4878:
“An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka “Win32k Elevation of Privilege Vulnerability.” This affects Windows Server 2008, Windows 7, Windows Server 2008 R2”
Soon after that, an image is sent that download a final payload which connects to the remote server. This final payload is nothing but a ROKRAT Trojan which allows the hackers to steal various sensitive details, deploy other threat and spy on the victims.