In the dynamic world of cyber conflict organizations either evolve or die. Tracking how threat actors evolve can help better position our defenses.
One dynamic of note is the evolution of the APT group known as Group 123, Reaper or ScarCruft.
ScarCruft attracted some attention early last year for employing an Adobe Flash zero-day exploit in an attack campaign dubbed Operation Daybreak that targeted more than two-dozen high-profile organizations. At the time, Kaspersky Lab researchers believed the threat group had purchased the exploit in the dark market using cryptocurrency, rather than developing the exploit on its own. The researchers assessed then that the group did not have the ability to develop a zero-day exploit.
The threat actor has also developed an interest in attacking mobile devices and has increasingly begun adapting legitimate tools and services in its espionage campaigns.
One of the new tools that ScarCruft has developed is a rare Bluetooth device-harvester designed to collect the names and addresses of Bluetooth devices, device type, whether it is connected, and whether it requires authentication. The malware leverages the Windows Bluetooth API to fingerprint Bluetooth devices.
Victims of the ongoing campaign include investment firms and trading companies in Russia and Vietnam that appear to have links to the North Korean government. Entities in North Korea and Hong Kong also have been targeted in its latest campaign.
For more see: DarkReading