ScarCruft continues to evolve, introduces Bluetooth harvester

2019-05-14 Kaspersky

https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/

Thumbnail for ScarCruft continues to evolve, introduces Bluetooth harvester

Kaspersky describes ScarCruft as a Korean-speaking, allegedly state-sponsored actor targeting organizations linked to the Korean peninsula, with recent activity showing a multi-stage binary infection process. The chain used an initial dropper with UAC bypass, a downloader that fetched steganographically hidden payloads, and a cloud-service backdoor associated with ROKRAT that could steal data, take screenshots and audio, execute commands, and exfiltrate through Box, Dropbox, pCloud, and Yandex paths. Researchers also found a rare Bluetooth device harvester that collected connected, authenticated, and remembered device metadata through Windows Bluetooth APIs. Telemetry identified victims including investment and trading firms in Vietnam and Russia and diplomatic agencies in Hong Kong and North Korea, with overlap against DarkHotel and Konni activity around at least one Russia-based victim.

Indicators of Compromise

Type Value First Seen Last Seen
HASH 5380a173757e67d9b12f316771012768 2019-05-14 2019-05-14
HASH 7149c205d634c4d17dae33fffb8a68ab 2019-05-14 2019-05-14
HASH 5e0e11bca0e94914e565c1dcc1ee6860 2019-05-14 2019-05-14
HASH 7a338d08226f5a38353385c8a5dec746 2019-05-14 2019-05-14
HASH 02681a7fe708f39beb7b3cf1bd557ee9 2019-05-14 2019-05-14
HASH 46f66d2d990660661d00f5177306309c 2019-05-14 2019-05-14
HASH 1f5ac2f1744ed9c3fd01fe72ee8d334f 2019-05-14 2019-05-14
HASH 172b4dc27e41e4a0c84a803b0b944d3e 2019-05-14 2019-05-14
HASH e8b23cfc805353f55ed67cf0af58f305 2019-05-14 2019-05-14
HASH e88f7f285163d0c080c8d3e525b35ab3 2019-05-14 2019-05-14
HASH a6bd2cf7bccf552febb8e8347d07529a 2019-05-14 2019-05-14
HASH ec0e77b57cb9dd7a04ab6e453810937c 2019-05-14 2019-05-14
HASH 032ed0cd234f73865d55103bf4ceaa22 2019-05-14 2019-05-14
HASH 4c2016df6b546326d67ac2a79dea1343 2019-05-14 2019-05-14
HASH c781f5fad9b47232b3606e4d374900cd 2019-05-14 2019-05-14
HASH 07d2200f5c2d03845adb5b20841faa94 2019-05-14 2019-05-14
HASH 4d3c34a3070643c225be1dbbb3457ad4 2019-05-14 2019-05-14
HASH d7c94c5ba028dc22a570f660b8dee5b9 2019-05-14 2019-05-14
HASH 03e5e566c1153cb1d18b8bc7c493025f 2019-05-14 2019-05-14
HASH 04371bf88b598b56691b0ad9da08204b 2019-05-14 2019-05-14
HASH 25701492a18854ffdb05317ec7d19c29 2019-05-14 2019-05-14
HASH 899e90a0851649a5c270d1f78baf60f2 2019-05-14 2019-05-14
HASH c66ef71830341bb99d30964a8089a1fc 2019-05-14 2019-05-14
HASH f63fc2d11fcebd37be3891def5776f6c 2019-05-14 2019-05-14
HASH a76c4a79e6ff73bfd7149a49852e8916 2019-05-14 2019-05-14
HASH 0790f1d7a1b9432aa5b8590286eb8b95 2019-05-14 2019-05-14
HASH 22aaf617a86e026424edb7c868742495 2019-05-14 2019-05-14
HASH 5999e01b83aa1cc12a2ad6a0c0dc27c3 2019-05-14 2019-05-14
HASH 4d20f7311f4f617104f559a04afd2fbf 2019-05-14 2019-05-14
URL https://planar-progress.000webh… 2019-05-14 2019-05-14
URL http://lotusprintgroup.com/imag… 2019-05-14 2019-05-14
URL https://buttyfly.000webhostapp.… 2019-05-14 2019-05-14
URL http://www.rhooters.com/bbs/dat… 2019-05-14 2019-05-14
URL http://www.stjohns-burscough.or… 2019-05-14 2019-05-14
URL http://www.jnts1532.cn/phpcms/t… 2019-05-14 2019-05-14
URL http://acddesigns.com.au/demo/r… 2019-05-14 2019-05-14
URL https://planar-progress.000webh… 2019-05-14 2019-05-14
URL http://kmbr1.nitesbr1.org/UserF… 2019-05-14 2019-05-14
DOMAIN buttyfly.000webhostapp.com 2019-05-14 2019-05-14
DOMAIN planar-progress.000webhostapp.c… 2019-05-14 2019-05-14
DOMAIN lotusprintgroup.com 2019-05-14 2019-05-14
IPv4 34.13.42.35 2019-05-14 2019-05-14
IPv4 120.192.73.202 2019-05-14 2019-05-14
IPv4 180.182.52.76 2019-05-14 2019-05-14
URL http://kmbr1.nitesbr1.org/UserF… 2018-10-01 2019-05-14
DOMAIN kmbr1.nitesbr1.org 2018-10-01 2019-05-14
DOMAIN acddesigns.com.au 2016-11-18 2019-05-14

Related Actors

Related Reports

« Back