Evasive, targeted and strategic — this is one animalistic backdoor by North Korean advanced persistent threat actors

In 2021, an advanced persistent threat group APT37 (ScarCruft) conducted a watering-hole attack on a South Korean online newspaper focused on North Korea. The attack consisted of multiple components, including an Internet Explorer exploit and shellcode leading to a backdoor named BLUELIGHT.

While BLUELIGHT was described as the attack’s final payload, but upon post-mortem by ESET experts, it was discovered that a second, more sophisticated backdoor was also deployed on selected victims via this first backdoor.

The second backdoor was named Dolphin because the executable contained the term. Besides collecting basic information about the targeted machine (including the operating system version, malware version, list of installed security products, username, and computer name), the backdoor has a wide range of spying capabilities, including monitoring drives and portable devices; exfiltrating files of interest; keylogging; taking screenshots; and stealing credentials from browsers. Its functionality is reserved for selected targets after an initial compromise with less advanced malware.

By default, Dolphin searches all fixed hard drives and non-fixed drives, creates directory listings, and exfiltrates files by extension. Dolphin also searches portable devices, such as smartphones, via the Windows Portable Device API. The backdoor also steals credentials from browsers, and is capable of keylogging and taking screenshots. Finally, it stages this data in encrypted ZIP archives before uploading to Google Drive, which is also used for command-and-control communication. 

One unusual capability found in prior versions of the backdoor is the ability to modify the settings of victims’ Google and Gmail accounts to lower their security, presumably to maintain Gmail account access for the threat actors.

APT37, which deploys Dolphin, primarily focuses on South Korea and seems to be interested mainly in government and military organizations, and firms in various industries linked to North Korean interests. Since the initial discovery of Dolphin in April 2021, ESET researchers have observed multiple versions of the backdoor, in which capabilities were improved, and more features were added to evade detection.

Overview of the attack components leading to the execution of the Dolphin backdoor.