The
North
Korea-linked

ScarCruft
group
has
been
attributed
to
a
previously
undocumented
backdoor
called

Dolphin
that
the
threat
actor
has
used
against
targets
located
in
its
southern
counterpart.

“The
backdoor
[…]
has
a
wide
range
of
spying
capabilities,
including
monitoring
drives
and
portable
devices
and
exfiltrating
files
of
interest,
keylogging
and
taking
screenshots,
and
stealing
credentials
from
browsers,”
ESET
researcher
Filip
Jurčacko

said
in
a
new
report
published
today.

Dolphin
is
said
to
be
selectively
deployed,
with
the
malware
using
cloud
services
like
Google
Drive
for
data
exfiltration
as
well
as
command-and-control.

The
Slovak
cybersecurity
company
said
it
found
the
implant
deployed
as
a
final-stage
payload
as
part
of
a
watering
hole
attack
in
early
2021
directed
against
a
South
Korean
digital
newspaper.

The
campaign,
first
uncovered
by

Kaspersky
and

Volexity
last
year,

entailed
the
weaponization
of
two
Internet
Explorer
flaws
(CVE-2020-1380
and

CVE-2021-26411)
to
drop
a
backdoor
named
BLUELIGHT.

ScarCruft,
also
called
APT37,
InkySquid,
Reaper,
and
Ricochet
Chollima,
is
a
geo-political
motivated
APT
group
that
has
a
track
record
of
attacking
government
entities,
diplomats,
and
news
organizations
associated
with
North
Korean
affairs.
It’s
been
known
to
be
active
since
at
least
2012.

Earlier
this
April,
cybersecurity
firm
Stairwell

disclosed
details
of
a
spear-phishing
attack
targeting
journalists
covering
the
country
with
the
ultimate
goal
of
deploying
a
malware
dubbed
GOLDBACKDOOR
that
shares
overlaps
with
another
ScarCruft
backdoor
named
BLUELIGHT.

The
latest
findings
from
ESET
shed
light
on
a
second,
more
sophisticated
backdoor
delivered
to
a
small
pool
of
victims
via
BLUELIGHT,
indicative
of
a
highly-targeted
espionage
operation.

This,
in
turn,
is
achieved
by
executing
an
installer
shellcode
that
activates
a
loader
comprising
a
Python
and
shellcode
component,
the
latter
of
which
runs
another
shellcode
loader
to
drop
the
backdoor.

“While
the
BLUELIGHT
backdoor
performs
basic
reconnaissance
and
evaluation
of
the
compromised
machine
after
exploitation,
Dolphin
is
more
sophisticated
and
manually
deployed
only
against
selected
victims,”
Jurčacko
explained.

What
makes
Dolphin
a
lot
more
potent
than
BLUELIGHT
is
its
ability
to
search
removable
devices
and
exfiltrate
files
of
interest,
such
as
media,
documents,
emails,
and
certificates.

The
backdoor,
since
its
original
discovery
in
April
2021,
is
said
to
have
undergone
three
successive
iterations
that
come
with
its
own
set
of
feature
improvements
and
grant
it
more
detection
evasion
capabilities.

“Dolphin
is
another
addition
to
ScarCruft’s
extensive
arsenal
of
backdoors
abusing
cloud
storage
services,”
Jurčacko
said. “One
unusual
capability
found
in
prior
versions
of
the
backdoor
is
the
ability
to
modify
the
settings
of
victims’
Google
and
Gmail
accounts
to
lower
their
security,
presumably
in
order
to
maintain
account
access
for
the
threat
actors.”