ScarCruft continues to evolve, introduces Bluetooth harvester
Contents
Executive summary
After publishing our initial series of blogposts back in 2016, we have continued to track the ScarCruft threat actor. ScarCruft is a Korean-speaking and allegedly state-sponsored threat actor that usually targets organizations and companies with links to the Korean peninsula. The threat actor is highly skilled and, by all appearances, quite resourceful.
We recently discovered some interesting telemetry on this actor, and decided to dig deeper into ScarCruft’s recent activity. This shows that the actor is still very active and constantly trying to elaborate its attack tools. Based on our telemetry, we can reassemble ScarCruft’s binary infection procedure. It used a multi-stage binary infection to update each module effectively and evade detection. In addition, we analyzed the victims of this campaign and spotted an interesting overlap of this campaign with another APT actor known as DarkHotel.
Multi-stage binary infection
The ScarCruft group uses common malware delivery techniques such as spear phishing and …
After publishing our initial series of blogposts back in 2016, we have continued to track the ScarCruft threat actor. ScarCruft is a Korean-speaking and allegedly state-sponsored threat actor that usually targets organizations and companies with links to the Korean peninsula. The threat actor is highly skilled and, by all appearances, quite resourceful.
We recently discovered some interesting telemetry on this actor, and decided to dig deeper into ScarCruft’s recent activity. This shows that the actor is still very active and constantly trying to elaborate its attack tools. Based on our telemetry, we can reassemble ScarCruft’s binary infection procedure. It used a multi-stage binary infection to update each module effectively and evade detection. In addition, we analyzed the victims of this campaign and spotted an interesting overlap of this campaign with another APT actor known as DarkHotel.
Multi-stage binary infection
The ScarCruft group uses common malware delivery techniques such as spear phishing and …
IoC
02681a7fe708f39beb7b3cf1bd557ee9
032ed0cd234f73865d55103bf4ceaa22
03e5e566c1153cb1d18b8bc7c493025f
04371bf88b598b56691b0ad9da08204b
0790F1D7A1B9432AA5B8590286EB8B95
07d2200f5c2d03845adb5b20841faa94
120.192.73.202
172b4dc27e41e4a0c84a803b0b944d3e
180.182.52.76
1f5ac2f1744ed9c3fd01fe72ee8d334f
22aaf617a86e026424edb7c868742495
25701492a18854ffdb05317ec7d19c29
34.13.42.35
46F66D2D990660661D00F5177306309C
4c2016df6b546326d67ac2a79dea1343
4d20f7311f4f617104f559a04afd2fbf
4d3c34a3070643c225be1dbbb3457ad4
5380a173757e67d9b12f316771012768
5999e01b83aa1cc12a2ad6a0c0dc27c3
5e0e11bca0e94914e565c1dcc1ee6860
7149c205d634c4d17dae33fffb8a68ab
7a338d08226f5a38353385c8a5dec746
899e90a0851649a5c270d1f78baf60f2
A6bd2cf7bccf552febb8e8347d07529a
A76c4a79e6ff73bfd7149a49852e8916
C66ef71830341bb99d30964a8089a1fc
C781f5fad9b47232b3606e4d374900cd
D7c94c5ba028dc22a570f660b8dee5b9
E88f7f285163d0c080c8d3e525b35ab3
Ec0e77b57cb9dd7a04ab6e453810937c
F63fc2d11fcebd37be3891def5776f6c
e8b23cfc805353f55ed67cf0af58f305
http://120.192.73.202
http://180.182.52.76
http://34.13.42.35/uploads/1.jpg
http://34.13.42.35/uploads/2.jpg
http://34.13.42.35/uploads/girl.jpg
http://34.13.42.35/uploads/girllisten.jpg
http://34.13.42.35/uploads/qwerty.jpg
http://acddesigns.com.au/demo/red/images/slider-pic-6.jpg
http://buttyfly.000webhostapp.com
http://kmbr1.nitesbr1.org/UserFiles/File/image/index.php
http://kmbr1.nitesbr1.org/UserFiles/File/images.png
http://lotusprintgroup.com/images.png
http://planar-progress.000webhostapp.com
http://www.jnts1532.cn/phpcms/templates/default/message/bottom.jpg
http://www.rhooters.com/bbs/data/m_photo/bottom.jpg
http://www.stjohns-burscough.org/uploads/images.png
https://34.13.42.35/uploads/newmode.php
https://buttyfly.000webhostapp.com/userfiles/file/sliderpic.jpg
https://planar-progress.000webhostapp.com/UserFiles/File/image/image/girl.jpg
https://planar-progress.000webhostapp.com/userfiles/file/sliderpic.jpg
032ed0cd234f73865d55103bf4ceaa22
03e5e566c1153cb1d18b8bc7c493025f
04371bf88b598b56691b0ad9da08204b
0790F1D7A1B9432AA5B8590286EB8B95
07d2200f5c2d03845adb5b20841faa94
120.192.73.202
172b4dc27e41e4a0c84a803b0b944d3e
180.182.52.76
1f5ac2f1744ed9c3fd01fe72ee8d334f
22aaf617a86e026424edb7c868742495
25701492a18854ffdb05317ec7d19c29
34.13.42.35
46F66D2D990660661D00F5177306309C
4c2016df6b546326d67ac2a79dea1343
4d20f7311f4f617104f559a04afd2fbf
4d3c34a3070643c225be1dbbb3457ad4
5380a173757e67d9b12f316771012768
5999e01b83aa1cc12a2ad6a0c0dc27c3
5e0e11bca0e94914e565c1dcc1ee6860
7149c205d634c4d17dae33fffb8a68ab
7a338d08226f5a38353385c8a5dec746
899e90a0851649a5c270d1f78baf60f2
A6bd2cf7bccf552febb8e8347d07529a
A76c4a79e6ff73bfd7149a49852e8916
C66ef71830341bb99d30964a8089a1fc
C781f5fad9b47232b3606e4d374900cd
D7c94c5ba028dc22a570f660b8dee5b9
E88f7f285163d0c080c8d3e525b35ab3
Ec0e77b57cb9dd7a04ab6e453810937c
F63fc2d11fcebd37be3891def5776f6c
e8b23cfc805353f55ed67cf0af58f305
http://120.192.73.202
http://180.182.52.76
http://34.13.42.35/uploads/1.jpg
http://34.13.42.35/uploads/2.jpg
http://34.13.42.35/uploads/girl.jpg
http://34.13.42.35/uploads/girllisten.jpg
http://34.13.42.35/uploads/qwerty.jpg
http://acddesigns.com.au/demo/red/images/slider-pic-6.jpg
http://buttyfly.000webhostapp.com
http://kmbr1.nitesbr1.org/UserFiles/File/image/index.php
http://kmbr1.nitesbr1.org/UserFiles/File/images.png
http://lotusprintgroup.com/images.png
http://planar-progress.000webhostapp.com
http://www.jnts1532.cn/phpcms/templates/default/message/bottom.jpg
http://www.rhooters.com/bbs/data/m_photo/bottom.jpg
http://www.stjohns-burscough.org/uploads/images.png
https://34.13.42.35/uploads/newmode.php
https://buttyfly.000webhostapp.com/userfiles/file/sliderpic.jpg
https://planar-progress.000webhostapp.com/UserFiles/File/image/image/girl.jpg
https://planar-progress.000webhostapp.com/userfiles/file/sliderpic.jpg