ScarCruft, an advanced persistent threat group known for attacking organizations with links to the Korean peninsula, has become more dangerous.
An analysis of recent data associated with the group shows that it has acquired new tools and is testing new exploits in preparation for future campaigns, Kaspersky Lab said Monday.
Telemetry associated with ScarCruft shows that the threat actor has also developed an interest in attacking mobile devices and has increasingly begun adapting legitimate tools and services in its espionage campaigns.
One of the new tools that ScarCruft has developed is a rare Bluetooth device-harvester designed to collect the names and addresses of Bluetooth devices, device type, whether it is connected, and whether it requires authentication. The malware leverages the Windows Bluetooth API to fingerprint Bluetooth devices, Kaspersky Lab said.
Victims of the ongoing campaign include investment firms and trading companies in Russia and Vietnam that appear to have links to the North Korean government. Entities in North Korea and Hong Kong also have been targeted in its latest campaign.
“ScarCruft has shown itself to be a highly-skilled and active group,” Kaspersky Lab said in a report. “Based on ScarCruft’s recent activities, we strongly believe that this group is likely to continue to evolve.”
Security researchers consider ScarCruft—also known as Reaper and Group 123—to be one of the most active APT groups in the Asian region. It is a Korean-language speaking group that is likely state-sponsored and focused on collecting information pertaining to North Korea and on businesses with connections to the reclusive country.