Pierluigi Paganini December 01, 2022

North Korea-linked ScarCruft group used a previously undocumented backdoor called Dolphin against targets in South Korea.

ESET researchers discovered a previously undocumented backdoor called Dolphin that was employed by North Korea-linked ScarCruft group (aka APT37, Reaper, and Group123) in attacks aimed at targets in South Korea.

ScarCruft has been active since at least 2012, it made the headlines in early February 2018 when researchers revealed that the APT group leveraged a zero-day vulnerability in Adobe Flash Player to deliver malware to South Korean users.

Kaspersky first documented the operations of the group in 2016. Cyber attacks conducted by the APT37 group mainly targeted government, defense, military, and media organizations in South Korea.

The Dolphin backdoor supports a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots, and stealing credentials from browsers.

This backdoor was employed against selected targets, it was delivered using less sophisticated malware. Dolphin abuses Google Drive cloud storage for Command & Control communication.

“During our investigation, we saw continued development of the backdoor and attempts by the malware authors to evade detection. A notable feature of earlier Dolphin versions we analyzed is the ability to modify the settings of victims’ signed-in Google and Gmail accounts to lower their security, most likely to maintain access to victims’ email inboxes.” reads the post published by ESET.

The Dolphin backdoor was used as the final payload of a multistage watering-hole attack in early 2021. The threat actors used the implant against a South Korean online newspaper, the APT group also relied on an Internet Explorer exploit and used another backdoor named BLUELIGHT (previously reported by security firms Volexity and Kaspersky).

One of the most interesting features of earlier Dolphin versions analyzed by ESET is the ability to modify the settings of victims’ signed-in Google and Gmail accounts to lower their security and avoid detection.

“It steals the existing cookie of the logged-in account from the browser and crafts requests that modify the settings.” continues the report.

The Dolphin loader is composed of a Python script and shellcode, while the core backdoor is a Windows executable written in C++. 

“Dolphin is another addition to ScarCruft’s extensive arsenal of backdoors abusing cloud storage services,” concludes the report that also provides Indicators of Compromise (IoCs) for the backdoor. “One unusual capability found in prior versions of the backdoor is the ability to modify the settings of victims’ Google and Gmail accounts to lower their security, presumably in order to maintain account access for the threat actors.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Dolphin backdoor)

[adrotate banner=”5″]

[adrotate banner=”13″]