Discovered by Kaspersky Lab, this malware is usually deployed on victims’ computers as a second-stage payload in already active infections.
On infected systems, it uses the Windows Bluetooth APIs to collect data from victims, such as the name of Bluetooth-connected devices, device class, device address, and whether the device is currently connected/authenticated/remembered, or not.
It is currently unknown why North Korean hackers are collecting such extensive information on Bluetooth devices from infected hosts. Possible reasons may be to get a better idea of a victim’s device portfolio and to plan attacks against the victim’s Bluetooth devices at a later point.
MALWARE IS THE WORK OF STARCRUFT APT
According to Kaspersky, the malware is the work of a hacking group codenamed StarCruft, which the company has been tracking since 2016.
There are different North Korean-based hacking groups active today. Some are focused on stealing money from banks, some target cryptocurrency exchanges, while others are focused on cyber-espionage operations.
StarCruft is from the latter category –focused on attacking targets for political and intelligence-gathering reasons.
“We have found several victims of this campaign, based on our telemetry – investment and trading companies in Vietnam and Russia,” Kaspersky said in a report today. “We believe they may have some links to North Korea, which may explain why StarCruft decided to closely monitor them.”
Furthermore, StarCruft also attacked a diplomatic agency in Hong Kong, and another diplomatic agency in North Korea.
“It appears StarCruft is primarily targeting intelligence for political and diplomatic purposes,” the antivirus vendor said.
Furthermore, the security vendor also noticed something peculiar about these attacks. Some of the victims had been previously infected by other North Korean hacker groups in the past, such as the DarkHotel group.
This suggests that some of these groups might not be working together as some have fought, with some of them acting independently and inadvertently targeting and infecting the same victims.
For now, the mystery remains as to why StarCruft has deployed Bluetooth-harvesting malware.
Security researchers and malware enthusiasts can find a more detailed description of this recent StarCruft campaign on the Kasperksy website.