ScarCruft APT Adds Bluetooth Harvester to its Malware Bag of Tricks

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,055
The ScarCruft Korean-speaking APT is changing up its espionage tactics to include an unusual piece of malware devoted to harvesting Bluetooth information – while also showing some overlap with the DarkHotel APT.

An analysis of ScarCruft’s binary infection procedure by Kaspersky Lab shows that in a campaign that continued over the course of 2018, the group used a multi-stage process to update each of its malware modules effectively while also evading detection.

The researchers said that spear-phishing and the use of various pubic exploits remain StarCruft’s go-to initial attack vectors. Once the victim is compromised, the attack installs an initial dropper, which uses a known exploit for CVE-2018-8120 to bypass Windows User Account Control (UAC) in order to execute the next payload, a downloader, with higher privileges. This stage connects with the command-and-control (C2) server to grab the next payload, which is hidden in an image using steganography.

“The downloaded payload is an image file, but it contains an appended malicious payload to be decrypted,” Kaspersky Lab researchers said, in a posting on Monday.

That payload is a full-featured backdoor and information exfiltration remote access trojan (RAT) known as ROKRAT. The malware can download additional payloads, execute Windows commands, save screenshots and audio recordings, and exfiltrate files.

“Upon execution, this malware creates 10 random directory paths and uses them for a specially designated purpose,” the researchers explained. “The malware creates 11 threads simultaneously: six threads are responsible for stealing information from the infected host, and five threads are for forwarding collected data to four cloud services (Box, Dropbox, Pcloud and Yandex).”
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top