A recent malware campaign targeting investment companies and diplomatic agencies has shed light on some of the newest practices and tools of reputed North Korean APT group ScarCruft.
While investigating this campaign, researchers from Kaspersky Lab observed a tool for harvesting Bluetooth device data and were able to analyze the group’s multistage binary infection procedure.
ScarCruft, also known as APT37, Group123 and TEMP.Reaper, is closely associated with the remote administration tool ROKRAT, which it uses to conduct cyber espionage. In this campaign, the group’s targets included investment and trading companies based in Vietnam and Russia, both with possible links to North Korea, as well as diplomatic agencies in Hong Kong and North Korea. One Russian victim, which was infected in September 2018, is known to visit North Korea, Kaspersky noted.
“It appears ScarCruft is primarily targeting intelligence for political and diplomatic purposes,” according to a May 13 company