North Korean hacking group APT37 (aka ScarCruft or Reaper) has updated its extensive tool arsenal with a new sophisticated backdoor named Dolphin. The backdoor abuses cloud storage services, specifically Google Drive for C2 communication.
Origin story
ESET researchers found that APT37 is using Dolphin since early 2021 and the backdoor is continuously developing new capabilities and evolving to evade detection.
- The latest discovery links back to a watering-hole attack in 2021 on a South Korean online newspaper reporting on activity and events related to North Korea.
- The hackers relied on multiple components, including an Internet Explorer exploit and shellcode leading to a backdoor named BLUELIGHT, which deployed the secondary payload Dolphin on selected targets.
- BLUELIGHT performs basic reconnaissance and evaluation of the compromised machine after exploitation and Dolphin searches the drives of compromised systems for interesting files and exfiltrates them to Google Drive.
Dolphin’s capabilities
Dolphin, written in C++, is a backdoor that collects information and executes commands automatically or as issued by its operators.
- Dolphin has a variety of spying capabilities, including monitoring cloud services and portable devices and exfiltrating files of interest.
- In addition, it is capable of keylogging and taking screenshots, and stealing credentials from browsers such as Chrome, Edge, and Internet Explorer. It can establish persistence on compromised systems by modifying the Windows Registry.
Detection details
So far, four Dolphin backdoor variants have been detected, 1.9 through 3.0 (86/64-bit). Dolphin frequently adds, removes, or improves commands in each variant.
Conclusion
APT37 is using Dolphin as a puppet in its multistage attack. It changes and executes commands as per its need and interest. Moreover, the abuse of Google Drive and dynamic changes make Dolphin an invisible yet alarming threat. Experts suggest the possibility of the emergence of newer variants in future attacks.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/c3b0_shutterstock_1140263831.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/4cf9_shutterstock_2051476082.jpg)
