ScarCruft develops and tests its own tools and techniques and expands the range of information collected from victims and increases the volume of information. Another thing you do is create a code that can identify devices connected via Bluetooth.
The subversive group usually targets government entities and companies with ties on the Korean Peninsula in search of information of political significance. It has an increasing interest in data acquisition from mobile devices, demonstrating its ability to adapt and use legitimate tools and services for its electronic espionage operations.
Group attacks, like other subversive groups based on persistent high-end threats, start either through targeted phishing or strategic Web site penetration, also known as watering-hole attacks, by exploiting gaps or by using other tricks to attack specific visitors to certain hacked and hacked Web sites In which.
The attack usually goes through the first stages of bypassing the control of the Windows user account to be able to download the malicious load through higher privileges and the use of code code is usually used by companies legitimate recruitment and then uses malicious software method of hiding and hiding information in order to avoid detection at the level of the network hidden malicious code inside Image file. The attack was installed by a cloud-based back-end called ROKRAT. This back-end port brings together a wide range of information from systems and devices that have been victimized by the attack for later uploading to cloud services such as Box, Dropbox, pCloud, and Yandex.Disk.
There is an overlap between ScarCruft and DarkHotel in terms of similar interests in the two groups, despite the significant differences in their tools and methods. Although ScarCruft is cautious and does not want to appear, it has proved to be a highly skilled and energetic group with a great deal of ingenuity in the way tools are developed and disseminated.
Source : Kaspersky