Headline
North Korean APT37 Unleashes Dolphin Backdoor on South Korea
By Habiba Rashid The backdoor is equipped with a wide range of spying capabilities, including exfiltrating files, keylogging, and stealing browser data, etc. This is a post from HackRead.com Read the original post: North Korean APT37 Unleashes Dolphin Backdoor on South Korea
On 30th November, ESET researchers uncovered Dolphin, a sophisticated backdoor used by an APT group named ScarCruft, likely to be linked to North Korea.
The group also referred to as APT37, InkySquid, Reaper, and Ricochet Chollima, is known to attack government entities, diplomats, and news organizations in South Korea and certain other Asian countries.
The geopolitical espionage group has been active since 2012, working to compromise targets linked to the interests of North Korea. It is worth noting that in August 2021, the same APT group was previously found using the Konni RAT variant against Russian organizations, while in December 2019, Microsoft had already spotted and dismantled a network of 50 malicious domains used by the group.
This time around, the backdoor used by the group has a wide range of spying capabilities which includes monitoring drives and portable devices, exfiltrating files of interest (such as media, documents, emails, and certificates), keylogging, taking screenshots, and stealing credentials from browsers.
Initially, a targeted device is compromised using less advanced malware after which the Dolphin backdoor is deployed to abuse cloud storage services, specifically Google Drive, to allow Command and Control (C&C) communication.
During their investigation, ESET researchers observed that the older versions of the previously unreported backdoor were able to modify the settings of victims’ signed-in Google and Gmail accounts to lower their security, in order to gain access to victims’ email inboxes.
Furthermore, it searches the drives of compromised systems for interesting files and infiltrates them into Google Drive. This should not come as a surprise since Google Drive is accounted for 50% of malicious document downloads.
It was first found by the Slovak cybersecurity company in early 2021 and deployed as a final-stage payload as part of a watering hole attack against a South Korean digital newspaper. The campaign exploited two Internet Explorer flaws (CVE-2020-1380 and CVE-2021-26411) to drop a backdoor named BLUELIGHT.
Although made by the same APT Group, BLUELIGHT is not as advanced as Dolphin and is only used to execute an installer shellcode that activates a loader comprising a Python and shellcode component, the latter of which runs another shellcode loader to drop the Dolphin backdoor.
Dolphin backdoor’s infection chain (ESET)
“While the BLUELIGHT backdoor performs basic reconnaissance and evaluation of the compromised machine after exploitation, Dolphin is more sophisticated and manually deployed only against selected victims,” ESET researcher Filip Jurčacko explained in a blog post.
Since initially being discovered in April 2021, Dolphin has undergone three successive iterations that improve its features and grant it more capabilities to evade detection.
“Dolphin is another addition to ScarCruft’s extensive arsenal of backdoors abusing cloud storage services,” Jurčacko said. “One unusual capability found in prior versions of the backdoor is the ability to modify the settings of victims’ Google and Gmail accounts to lower their security, presumably in order to maintain account access for the threat actors.”
- N. Korean hackers stole $1.7B from cryptocurrency exchanges
- N. Korean Radio Station Hacked to Play “The Final Countdown”
- US Warns Firms About N. Korean Hackers Posing as IT Workers
- N. Korean hackers used VPN flaws to hack S Korean atomic agency
- Elite N. Koreans aren’t opposed to exploiting internet for financial gain
I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.
Related news
The North Korean threat actor known as ScarCruft has been linked to the zero-day exploitation of a now-patched security flaw in Windows to infect devices with malware known as RokRAT. The vulnerability in question is CVE-2024-38178 (CVSS score: 7.5), a memory corruption bug in the Scripting Engine that could result in remote code execution when using the Edge browser in Internet Explorer Mode.
An updated version of a sophisticated backdoor framework called MATA has been used in attacks aimed at over a dozen Eastern European companies in the oil and gas sector and defense industry as part of a cyber espionage operation that took place between August 2022 and May 2023. "The actors behind the attack used spear-phishing mails to target several victims, some were infected with Windows
The RIG exploit kit (EK) touched an all-time high successful exploitation rate of nearly 30% in 2022, new findings reveal. "RIG EK is a financially-motivated program that has been active since 2014," Swiss cybersecurity company PRODAFT said in an exhaustive report shared with The Hacker News. "Although it has yet to substantially change its exploits in its more recent activity, the type and
An Internet Explorer zero-day vulnerability was actively exploited by a North Korean threat actor to target South Korean users by capitalizing on the recent Itaewon Halloween crowd crush to trick users into downloading malware. The discovery, reported by Google Threat Analysis Group researchers Benoît Sevens and Clément Lecigne, is the latest set of attacks perpetrated by ScarCruft, which is
The North Korea-linked ScarCruft group has been attributed to a previously undocumented backdoor called Dolphin that the threat actor has used against targets located in its southern counterpart. "The backdoor [...] has a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots, and stealing
The North Korea-linked ScarCruft group has been attributed to a previously undocumented backdoor called Dolphin that the threat actor has used against targets located in its southern counterpart. "The backdoor [...] has a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots, and stealing
The operators behind the Rig Exploit Kit have swapped the Raccoon Stealer malware for the Dridex financial trojan as part of an ongoing campaign that commenced in January 2022. The switch in modus operandi, spotted by Romanian company Bitdefender, comes in the wake of Raccoon Stealer temporarily closing the project after one of its team members responsible for critical operations passed away in
Though the once-popular browser is officially now history as far as Microsoft support goes, adversaries won't stop attacking it, security experts say.