Recently, cybersecurity experts at ESET identified that North Korean hackers had been actively using a previously unknown backdoor called Dolphin. This backdoor has been used for more than a year to carry out highly targeted operations against South Korean targets.
It appears that hackers deploy the Dolphin malware primarily in this malicious operation in order to steal files and store them on Google Drive in the process.
Since Dolphin is sophisticated malware, so, the hackers mainly use it against selected targets only. While this malware is used after less sophisticated malware is initially compromised to deploy the backdoor.
Dolphin Malware From ScarCruft Group
Apart from this cybersecurity analysts have strongly hinted and speculated that the operator behind this malware is the ScarCruft group and this group is known by several other names as well:-
- Red Eyes
It has been reported that since 2012, the group has been involved in espionage activities aligned with the interests of the North Korean government.
In April 2021, researchers discovered Dolphin malware for the first time. Over the following months, they observed that Dolphin also enhanced its code and anti-detection mechanisms to launch its new versions.
A number of components were used in the cyberattack, including:-
- An exploit for Internet Explorer
While there was a backdoor called BLUELIGHT that resulted from these components. As the final payload of the attack, the BLUELIGHT backdoor was described.
On a compromised system, Dolphin’s Python loader is launched by hackers using BLUELIGHT as part of an espionage operation. However, in terms of espionage operations, the loader is not a crucial component.
Capabilities of Dolphin
A wide variety of spying features and capabilities are available in Dolphin and here below we have mentioned them:-
- Monitoring drives
- OS version
- Monitoring portable devices
- Exfiltrating files of interest
- Collect RAM size and usage data
- Acquire a local and external IP address
- Taking screenshots
- Stealing credentials from browsers
- List of installed security products
- Result of check for debugger and other inspection tools (such as Wireshark)
- Current time
Evolution of Dolphin
Dolphin is an executable that is written in C++, and at the moment it uses Google Drive for two purposes:-
- As a C2 server
- To store stolen files
Moreover, as a result of the malware being able to modify the Windows registry, persistence can be established. It has been observed that Dolphin has been modified over the years since its initial discovery in April 2021.
While security analysts have also claimed that they even observed multiple versions of Dolphin since its discovery.
The Dolphin backdoor has been detected in four distinct versions, the latest of which is 3.0 from January 2022, which has been captured by ESET researchers.
This is yet another example of how ScarCruft is able to take advantage of cloud storage services with its extensive arsenal of backdoors.
Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book