ScarCruft Launches Malware With Bluetooth Device-Harvesting Capability

Cybercriminal group ScarCruft has recently developed Bluetooth device-harvesting malware that collects Bluetooth device information such as names, device addresses, device types, as well as connection and authentication information. The malware takes advantage of the Windows Bluetooth API to gather information about the devices.

According to an analysis by Kaspersky, the multistage campaign targets investment and trading companies in Russia, Vietnam, and Hong Kong. ScarCruft infiltrates its targeted organization by employing spear phishing techniques or watering hole attacks.

[READ: Anatomy of a spear phishing attack]

After the system is compromised, the malware (detected by Trend Micro as Trojan.Win32.SCARCRUFT.AA) downloads a dropper that enables it to evade Windows user account control (UAC), a vital component of Microsoft’s overall security vision.

Once the malware successfully bypasses UAC, it can run with higher privileges and take advantage of legitimate penetration testing code within the compromised organization. To further avoid detection, it hides its code inside an image file using steganography.

[READ: Cybercriminals Use Malicious Memes that Communicate with Malware]

Finally, the malware installs ROKRAT (detected as Trojan.Win32.ROKRAT.AB), a remote access tool (RAT) that runs on a cloud service. ROKRAT steals and siphons off various information from systems and devices on the compromised network to send to known cloud service providers such as Box, DropBox, pCloud, and Yandex.Disk.

This is not the first time the ROKRAT backdoor has made waves. In 2017, it used the social media platform Twitter as its C&C channel and Yandex and Mediafire for data exfiltration purposes.

Stopping the Threat at the Starting Point

This campaign’s infection stage starts with a spear-phishing attack, which targets specific individuals or groups within an organization by means of online communication platforms such as emails, social media, and instant messaging with the intent of maliciously obtaining personal information.

Here are some best practices for users to avoid falling for spear-phishing attacks:

  • Be wary of unsolicited mail and unexpected emails, especially those that call for urgency. Always verify with the person involved through a different means of communication, such as phone calls or face-to-face conversation.
  • Learn to recognize the basic tactics used in spear-phishing emails, for example, tax-related fraud, CEO fraud, business email compromise scams, and other social engineering tactics.
  • Refrain from clicking on links or downloading attachments in emails, especially from unknown sources.

Organizations can also block threats that arrive via email using hosted email security and antispam protection.

Trend Micro Solutions

Trend Micro endpoint solutions such as the Smart Protection Suites can protect users and businesses from threats by detecting malicious files and messages as well as blocking all related malicious URLs.

The use of AI and machine learning in Trend Micro email security products enhances an organization’s overall cyberdefense against BEC, email account compromise (EAC), phishing, and other advanced threats. Trend Micro’s anti-phishing technology combines the knowledge of a security expert with a self-learning mathematical model to identify fake emails by looking at both behavioral factors and the intention of an email. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector prevents threats from reaching end users.

These solutions are powered by Trend Micro XGen™ security, which provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. Smart, optimized, and connected, XGen powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.