A North Korean hacker organization developed and deployed new malware to collect information about Bluetooth devices connected to Windows systems. Kaspersky Lab found that the malware was deployed on the victim’s computer as the second stage payload of the infection. On infected systems, the malware uses the Windows Bluetooth API to collect data from victims, such as the device name, type, address, and whether the device is currently connected, authenticated and remembered.
It is unclear why North Korean hackers collect such a wide range of Bluetooth device information. It may be to better understand the victim’s device combination and then attack the victim’s Bluetooth device. Kaspersky said the malware is owned by a hacking organization code-named ScarCruft, Kaspersky has been tracking the hacker organization since 2016. The ScarCruft organization targets attacks for political and intelligence gathering.
Kaspersky said several victims of the campaign have been discovered based on telemetry and investment and trading companies in Vietnam and Russia. They may have some connections with North Korea, which may explain why ScarCruft closely monitors them. In addition, ScarCruft also attacked a diplomatic agency in Hong Kong and a diplomatic agency in North Korea.
Kaspersky also noted that some of these victims have been attacked by other North Korean hackers in the past, such as the DarkHotel organization. This shows that some organizations have acted independently and inadvertently attacked the same victims.
“They are both Korean-speaking threat actors and sometimes their victimology overlaps. But both groups seem to have different TTPs (Tactics, Techniques, and Procedures) and it leads us to believe that one group regularly lurks in the other’s shadow,” Kaspersky said.