The North Korean hacker collective known as ScarCruft has been found to use a new infiltration device — a Bluetooth harvesting tool allowing them to acquire a lot of sensitive information about the victim devices. The group is alternatively known as APT37, Reaper or Group123.
CVE-2018-4878: ScarCruft Hackers Now Spy Via Bluetooth Device Harvesting
The ScarCruft hackers appear to be set to attack various other targets once again, similar to other hacking groups it is known to act in organized and coordinated campaigns. The team of criminals is highly experienced and otherwise known as APT37, Reaper and Group123. The security reports so far show show that the group has been active since at least 2012 while their actions were first documented in 2016.
So far, the hackers have primarily targeted high-profile targets in South Korea: government, defense, media and military organizations.
The attacks that have been detected are attributed to the group as it fits three criteria: the attacks are using a North Korean IP, the compilation timestamps of the used malware correspond to a North Korean time zone. Also the objectives of the threat seem to be aligned with the interests of the North Korean government. Coordinated campaigns were done against Japan, Vietnam and the Middle East back in 2017 as well. Many of the past attacks have used zero-day vulnerabilities and Trojans.
The latest onset of attacks appear to be using a new sophisticated Bluetooth device harvester. The campaigns are set against high-profile targets — a diplomatic agency in Hong Kong and another one in North Korea. It is believed that the information that is extracted is required by the intelligence agencies of North Korea.
The malware that is associated with the group uses Bluetooth in order to acquire information about the devices, as it uses the wireless technology the attacking device will need to beg in close proximity to the targets. What is interesting about it is that the malware will be downloaded to a computer or device from which the attacks will commence. The Bluetooth harvester is delivered to the victim systems via a privilege escalation bug or via a Windows UAC bypass. The bug which is targeted is described in the CVE-2018-8120 advisory:
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka “Win32k Elevation of Privilege Vulnerability.” This affects Windows Server 2008, Windows 7, Windows Server 2008 R2
The malware will then download an image which will retrieve the final payload. The executable will use the built-in configuration file and connect to the relevant hacker-controlled server. The infected system will evade network level detection by using a steganography approach. The Bluetooth harvester is capable of capturing a lot of sensitive information about the victim devices and/or their users. The final payload is a backdoor called ROKRAT which is used as a Trojan which will allow the hackers to spy on the victims, deploy other threats and steal files.