North Korea Hackers Utilizing New “Dolphin” Backdoor to Spy on South Korean Targets

Nov 30, 2022Ravie Lakshmanan

North Korea Hackers

The North Korea-linked ScarCruft group has been attributed to a beforehand undocumented backdoor known as Dolphin that the menace actor has used towards targets situated in its southern counterpart.

“The backdoor […] has a variety of spying capabilities, together with monitoring drives and moveable gadgets and exfiltrating information of curiosity, keylogging and taking screenshots, and stealing credentials from browsers,” ESET researcher Filip Jurčacko stated in a brand new report printed in the present day.

Dolphin is claimed to be selectively deployed, with the malware utilizing cloud companies like Google Drive for information exfiltration in addition to command-and-control.

The Slovak cybersecurity firm stated it discovered the implant deployed as a final-stage payload as a part of a watering gap assault in early 2021 directed towards a South Korean digital newspaper.

The marketing campaign, first uncovered by Kaspersky and Volexity final 12 months, entailed the weaponization of two Web Explorer flaws (CVE-2020-1380 and CVE-2021-26411) to drop a backdoor named BLUELIGHT.

ScarCruft, additionally known as APT37, InkySquid, Reaper, and Ricochet Chollima, is a geo-political motivated APT group that has a monitor file of attacking authorities entities, diplomats, and information organizations related to North Korean affairs. It has been identified to be lively since no less than 2012.

North Korea Hackers

Earlier this April, cybersecurity agency Stairwell disclosed particulars of a spear-phishing assault focusing on journalists masking the nation with the final word objective of deploying a malware dubbed GOLDBACKDOOR that shares tactical overlaps with BLUELIGHT.

The newest findings from ESET make clear a second, extra subtle backdoor delivered to a small pool of victims by way of BLUELIGHT, indicative of a highly-targeted espionage operation.

This, in flip, is achieved by executing an installer shellcode that prompts a loader comprising a Python and shellcode element, the latter of which runs one other shellcode loader to drop the backdoor.


Uncover the Hidden Risks of Third-Occasion SaaS Apps

Are you conscious of the dangers related to third-party app entry to your organization’s SaaS apps? Be part of our webinar to be taught in regards to the forms of permissions being granted and how one can decrease danger.


“Whereas the BLUELIGHT backdoor performs fundamental reconnaissance and analysis of the compromised machine after exploitation, Dolphin is extra subtle and manually deployed solely towards chosen victims,” Jurčacko defined.

What makes Dolphin much more potent than BLUELIGHT is its capability to go looking detachable gadgets and related smartphones, and exfiltrate information of curiosity, corresponding to media, paperwork, emails, and certificates.

The backdoor, since its unique discovery in April 2021, is claimed to have undergone three successive iterations that include its personal set of function enhancements and grant it extra detection evasion capabilities.

“Dolphin is one other addition to ScarCruft’s intensive arsenal of backdoors abusing cloud storage companies,” Jurčacko stated. “One uncommon functionality present in prior variations of the backdoor is the flexibility to switch the settings of victims’ Google and Gmail accounts to decrease their safety, presumably with the intention to keep account entry for the menace actors.”

Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we put up.

Supply By

Related posts