A group of North Korean state-sponsored hackers has developed and deployed a new strain of malware that harvests information about Bluetooth devices connected to Windows systems.
Discovered by Kaspersky Lab, this malware is usually deployed on victims’ computers as a second-stage payload in already active infections.
On infected systems, it uses the Windows Bluetooth APIs to collect data from victims, such as the name of Bluetooth-connected devices, device class, device address, and whether the device is currently connected/authenticated/remembered, or not.
It is currently unknown why North Korean hackers are collecting such extensive information on Bluetooth devices from infected hosts. Possible reasons may be to get a better idea of a victim’s device portfolio and to plan attacks against the victim’s Bluetooth devices at a later point.
Malware is the work of StarCruft APT
According to Kaspersky, the malware is the work of a hacking group codenamed StarCruft, which the company has been tracking since 2016.
There are different North Korean-based hacking groups active today. Some are focused on stealing money from banks, some target cryptocurrency exchanges, while others are focused on cyber-espionage operations.
StarCruft is from the latter category –focused on attacking targets for political and intelligence-gathering reasons.
“We have found several victims of this campaign, based on our telemetry – investment and trading companies in Vietnam and Russia,” Kaspersky said in a report today. “We believe they may have some links to North Korea, which may explain why StarCruft decided to closely monitor them.”
Furthermore, StarCruft also attacked a diplomatic agency in Hong Kong, and another diplomatic agency in North Korea.
“It appears StarCruft is primarily targeting intelligence for political and diplomatic purposes,” the antivirus vendor said.
Image: Kaspersky
Furthermore, the security vendor also noticed something peculiar about these attacks. Some of the victims had been previously infected by other North Korean hacker groups in the past, such as the DarkHotel group.
This suggests that some of these groups might not be working together as some have fought, with some of them acting independently and inadvertently targeting and infecting the same victims.
For now, the mystery remains as to why StarCruft has deployed Bluetooth-harvesting malware.
Security researchers and malware enthusiasts can find a more detailed description of this recent StarCruft campaign on the Kasperksy website.
Related cybersecurity coverage:
Hackers are collecting payment details, user passwords from 4,600 sitesMicrosoft recommends using a separate device for administrative tasksMicrosoft SharePoint servers are under attackNew leaks of Iranian cyber-espionage operations hit Telegram and the Dark WebWordPress finally gets the security features a third of the Internet deservesSHA-1 collision attacks are now actually practical and a looming dangerThe dark web is smaller, and may be less dangerous, than we think TechRepublicGame of Thrones has the most malware of any pirated TV show CNET
Related Topics:
Security TV
Data Management
CXO
Data Centers