ESET researchers have found the use of a Dolphin backdoor by ScarCruft group to launch a cyberattack on specific targets. As per reports, the hacker collective looks for compromised systems on Google Drive and accesses files it desires. This backdoor was also used in a watering hole attack on a South Korean digital newspaper in 2021.
Researchers observed several modifications and enhanced features added to the Dolphin backdoor since 2021 to decrease its chances of being detected. According to the security experts, Dolphin can also change the security settings on the breached system’s Google and Gmail accounts. Apart from these, it can perform the following functions:
- Watching the device’s activities
- Spying on portable devices connected to the breached device
- Exfiltrating files to the command-and-control server
- Keylogging to copy keyboard input
- Taking screenshots of the system files
- Copying login credentials from the browser
- Breaching cloud storage, including Google Drive
The Dolphin loader works on a Python script, and the backdoor copies all the required information from the hacked device. The backdoor is written in C++ and is a Windows executable. It uses persistence to run whenever the system restarts. It collects the following information:
- Username
- Computer name
- Local and external IP address
- Installed security products
- RAM details
- Availability of a debugger and similar tools
- OS version
- Device time
In a previous incident in South Korea, a multistage cyberattack on its news website was launched using another Scarcruft backdoor called Bluelight. It was a watering hole attack wherein a group of individuals were targeted based on the website they frequently visited. A malware attack was launched to gain unauthorized access and then conduct desired malicious activities on the systems.
In 2018, a watering hole attack was launched on Chinese systems by a Chinese-speaking group called LuckyMouse or Iron Tiger. They used the HyperBro malware to launch a persistent attack and gain remote access.
The impacts of a backdoor
Backdoors are malware variants meant to gain system access by evading normal authentication processes. It helps cyberespionage by giving access to system files and allowing data transfer from the system to the command-and-control servers.
About the ScarCruft APT group
ScarCruft is also known as APT37, Group123, InkySquid, operation daybreak, operation erebus, red eyes, ricochet chollima, venus 121, ATK4, G0067, moldy pisces, and reaper, has been operating since over 2012. It has targeted South Korean public and private sector companies and also attacked Japan, the Middle East, and Vietnam.
They have exploited industries related to chemicals, healthcare, aerospace, electronics, and automotive. They have also been linked to North Korea due to their target and how those would help leverage the strategic interests of North Korea.