North Korean APT37 Unleashes Dolphin Backdoor on South Korea

North Korean APT37 Unleashes Dolphin Backdoor on South Korea

The backdoor is equipped with a wide range of spying capabilities, including exfiltrating files, keylogging, and stealing browser data, etc.

On 30th November, ESET researchers uncovered Dolphin, a sophisticated backdoor used by an APT group named ScarCruft, likely to be linked to North Korea.

The group also referred to as APT37, InkySquid, Reaper, and Ricochet Chollima, is known to attack government entities, diplomats, and news organizations in South Korea and certain other Asian countries.

The geopolitical espionage group has been active since 2012, working to compromise targets linked to the interests of North Korea. It is worth noting that in August 2021, the same APT group was previously found using the Konni RAT variant against Russian organizations, while in December 2019, Microsoft had already spotted and dismantled a network of 50 malicious domains used by the group.

This time around, the backdoor used by the group has a wide range of spying capabilities which includes monitoring drives and portable devices, exfiltrating files of interest (such as media, documents, emails, and certificates), keylogging, taking screenshots, and stealing credentials from browsers.

Initially, a targeted device is compromised using less advanced malware after which the Dolphin backdoor is deployed to abuse cloud storage services, specifically Google Drive, to allow Command and Control (C&C) communication. 

During their investigation, ESET researchers observed that the older versions of the previously unreported backdoor were able to modify the settings of victims’ signed-in Google and Gmail accounts to lower their security, in order to gain access to victims’ email inboxes.

Furthermore, it searches the drives of compromised systems for interesting files and infiltrates them into Google Drive. This should not come as a surprise since Google Drive is accounted for 50% of malicious document downloads.

It was first found by the Slovak cybersecurity company in early 2021 and deployed as a final-stage payload as part of a watering hole attack against a South Korean digital newspaper. The campaign exploited two Internet Explorer flaws (CVE-2020-1380 and CVE-2021-26411) to drop a backdoor named BLUELIGHT.

Although made by the same APT Group, BLUELIGHT is not as advanced as Dolphin and is only used to execute an installer shellcode that activates a loader comprising a Python and shellcode component, the latter of which runs another shellcode loader to drop the Dolphin backdoor. 

North Korean APT37 Unleashes Dolphin Backdoor on South Korea
Dolphin backdoor’s infection chain (ESET)

“While the BLUELIGHT backdoor performs basic reconnaissance and evaluation of the compromised machine after exploitation, Dolphin is more sophisticated and manually deployed only against selected victims,” ESET researcher Filip Jurčacko explained in a blog post.

Since initially being discovered in April 2021, Dolphin has undergone three successive iterations that improve its features and grant it more capabilities to evade detection. 

“Dolphin is another addition to ScarCruft’s extensive arsenal of backdoors abusing cloud storage services,” Jurčacko said. “One unusual capability found in prior versions of the backdoor is the ability to modify the settings of victims’ Google and Gmail accounts to lower their security, presumably in order to maintain account access for the threat actors.”

  1. N. Korean hackers stole $1.7B from cryptocurrency exchanges
  2. N. Korean Radio Station Hacked to Play “The Final Countdown”
  3. US Warns Firms About N. Korean Hackers Posing as IT Workers
  4. N. Korean hackers used VPN flaws to hack S Korean atomic agency
  5. Elite N. Koreans aren’t opposed to exploiting internet for financial gain
Related Posts