ScarCruft Group’s Dolphin backdoor
Share this:
Researchers uncovered the dolphin backdoor used by the ScarCruft APT group, which is linked to North Korea.
The group referred to as APT37, InkySquid, Reaper, and Ricochet Chollima is known to attack government entities, diplomats, and news organizations in South Korea and certain other Asian countries.
This espionage group has been active since 2012, linked to North Korea. It is previously found using the Konni RAT variant against Russian organizations, while in December 2019, Microsoft had already spotted and dismantled a network of 50 malicious domains used by the group.
Now, the backdoor used by the group has a wide range of spying capabilities, which includes monitoring drives and portable devices, exfiltrating files of interest, keylogging, taking screenshots, and stealing credentials from browsers.
Initially, after compromising the target using less advanced malware, after which the Dolphin backdoor is deployed to abuse cloud storage services, specifically Google Drive, to allow C&C communication.
Researchers observed that the older versions of the backdoor were able to modify the settings of victims’ signed-in Google and Gmail accounts to lower their security in order to gain access to victims’ email inboxes and searches the drives of compromised systems for interesting files and infiltrates them into Google Drive.
Initially being discovered in April 2021, Dolphin has undergone three successive iterations that improve its features and grant it more capabilities to evade detection.
Indicators of Compromise
- F9F6C0184CEE9C1E4E15C2A73E56D7B927EA685B
- 5B70453AB58824A65ED0B6175C903AA022A87D6A
- 21CA0287EC5EAEE8FB2F5D0542E378267D6CA0A6
- D9A369E328EA4F1B8304B6E11B50275F798E9D6B
- 2C6CC71B7E7E4B28C2C176B504BC5BDB687C4D41
