North Korean cyberspies deploy new malware that harvests Bluetooth data

ScarCruft hackers deploy Bluetooth-harvesting malware in recent campaign.
Written by Catalin Cimpanu, Contributor

A group of North Korean state-sponsored hackers has developed and deployed a new strain of malware that harvests information about Bluetooth devices connected to Windows systems.

Discovered by Kaspersky Lab, this malware is usually deployed on victims' computers as a second-stage payload in already active infections.

On infected systems, it uses the Windows Bluetooth APIs to collect data from victims, such as the name of Bluetooth-connected devices, device class, device address, and whether the device is currently connected/authenticated/remembered, or not.

It is currently unknown why North Korean hackers are collecting such extensive information on Bluetooth devices from infected hosts. Possible reasons may be to get a better idea of a victim's device portfolio and to plan attacks against the victim's Bluetooth devices at a later point.

Malware is the work of ScarCruft APT

According to Kaspersky, the malware is the work of a hacking group codenamed ScarCruft, which the company has been tracking since 2016.

There are different North Korean-based hacking groups active today. Some are focused on stealing money from banks, some target cryptocurrency exchanges, while others are focused on cyber-espionage operations.

ScarCruft is from the latter category --focused on attacking targets for political and intelligence-gathering reasons.

"We have found several victims of this campaign, based on our telemetry - investment and trading companies in Vietnam and Russia," Kaspersky said in a report today. "We believe they may have some links to North Korea, which may explain why ScarCruft decided to closely monitor them."

Furthermore, ScarCruft also attacked a diplomatic agency in Hong Kong, and another diplomatic agency in North Korea.

"It appears ScarCruft is primarily targeting intelligence for political and diplomatic purposes," the antivirus vendor said.

StartCruft campaign
Image: Kaspersky

Furthermore, the security vendor also noticed something peculiar about these attacks. Some of the victims had been previously infected by other North Korean hacker groups in the past, such as the DarkHotel group.

This suggests that some of these groups might not be working together as some have fought, with some of them acting independently and inadvertently targeting and infecting the same victims.

For now, the mystery remains as to why ScarCruft has deployed Bluetooth-harvesting malware.

Security researchers and malware enthusiasts can find a more detailed description of this recent ScarCruft campaign on the Kasperksy website.

North Korea's history of bold cyber attacks

Related cybersecurity coverage:

Editorial standards