Researchers from the information security company ESET have found a backdoor linked to North Korea that has a wide range of spying capabilities not only on the targeted PC, but also on other mobile devices connected to it.
According to the company, the backdoor is capable of monitoring drives and smartphones connected to a computer, extracting important files from them, recording keyboard clicks, taking screenshots, and stealing credentials from browsers.
The researchers explained that the back door, which they called the dolphin, has specific functions. He misuses cloud storage services, such as Google Drive in particular, for the purposes of command and control communication.
According to the researchers, whoever is behind the Dolphin backdoor is the ScarCruft spy group, also known as APT37 or Reaper, which has been in operation since at least 2012.
The researchers said the group focused its work primarily on South Korea, but had also targeted other Asian countries in the past. It is interested in government and military institutions, and companies in various industries linked to North Korean interests.
ESET explained that the Dolphin backdoor, after being deployed on specific targets, searches the disks of the compromised systems in search of files of interest and outputs them to Google Drive.
The company said: “Among the unusual capabilities found in previous versions of the backdoor is the ability to modify the settings of victims’ Google and Gmail accounts to lower their level of security. The reason is likely to maintain access to the threat actors’ Gmail account.”
In 2021, the ScarCruft Group launched an attack on a South Korean online newspaper focused on North Korea. The attack consisted of multiple components, such as an exploit for Microsoft's Internet Explorer web browser.
Since the initial discovery of the Dolphin backdoor in April 2021, ESET researchers have noticed multiple versions of it, as attackers have worked to improve its capabilities in an attempt to avoid detection.
The researchers said that the backdoor has the advantage that it actively searches drives and automatically filters files with interesting extensions, and collects basic information about the target device, including: operating system version, list of installed security products, user name, and computer name.
By default, Dolphin searches all hard drives such as HDD, SSD, and non-volatile drives such as USB external storage drives, creates directories lists, and pulls files by extension. The backdoor also searches for portable devices connected to the computer, such as smartphones, through the Windows Portable Device API.
The backdoor also steals credentials from browsers, and is capable of recording keyboard clicks and taking screenshots. Finally, the backdoor puts this data into encrypted zip archives before uploading it to Google Drive.