Researchers have been monitoring the Korean-speaking threat actor known as ScarCruft and have reportedly discovered that new tools are being developed. According to Kaspersky Lab, ScarCruft is testing tools using code that can identify connected Bluetooth devices in order to steal information from targeted victims.
In addition, researchers reported that they observed similarities between the victims of ScarCruft’s most recent threat campaigns and those victims of the notorious Korean-speaking DarkHotel group.
“The ScarCruft group uses common malware delivery techniques such as spear phishing and Strategic Web Compromises (SWC). As in Operation Daybreak, this actor performs sophisticated attacks using a zero-day exploit. However, sometimes using public exploit code is quicker and more effective for malware authors. We witnessed this actor extensively testing a known public exploit during its preparation for the next campaign,” researchers wrote.
Believed to be state-sponsored actors that target government entities and organizations that do business in the Korean peninsula, the ScarCruft advanced persistent threat (APT) is evolving. Evidence suggests the APT has been delving into the mobile device territory and is testing new exploits that indicate a particular resourcefulness. The group has adapted legitimate tools and services, adding those to its cyber-espionage operations.
“This is not the first time we have seen ScarCruft and DarkHotel overlap,” said Seongsu Park, senior security researcher, Kaspersky Lab global research and analysis team, in a press release. “They have similar interests in terms of targets but very different tools, techniques and processes. This leads us to believe that one group regularly lurks in the shadow of the other. ScarCruft is cautious and likes to keep a low profile, but it has shown itself to be a highly skilled and active group, with considerable resourcefulness in the way it develops and deploys tools. We strongly believe that it will continue to evolve.”
ScarCruft launches its attacks using either spear-phishing or ‘watering-hole’ (strategic website compromise) attacks, which are then followed by a first-stage infection. The threat actors are able to evade detection at the network level using steganography malware that hides the malicious code in an image file.