![]() The installer generates two file paths for loading-chain components, and, with the format \\. The CAB is unpacked to %APPDATA%, and depending on architecture, the interpreter ends up in one of the following directories: The installer downloads a CAB file from OneDrive, containing a legitimate Python 2.7 interpreter. Ensure persistence of the loading chain.Generate and deploy a loading chain with its payload.Download and deploy a Python interpreter.The installer shellcode follows these main objectives: It is worth noting that this installer and the deployed loader are not exclusive to Dolphin, and were previously seen used with other ScarCruft malware. Dolphin installerĮnsuing sections describe the installer and loader components responsible for the execution of the Dolphin backdoor in the analyzed attack scenario. A summarized description of the version changes can be found in the Dolphin evolution section. The analysis is based on the first version of the backdoor that we found, 1.9 (based on a string found in the code) with additional information about changes in newer versions. Overview of the attack components leading to the execution of the Dolphin backdoor Dolphin analysisĪnalysis of Dolphin’s components and their capabilities is provided in the following section. Both backdoors are capable of exfiltrating files from a path specified in a command, but Dolphin also actively searches drives and automatically exfiltrates files with extensions of interest to ScarCruft.įigure 1 provides an overview of the attack components leading to the execution of the Dolphin backdoor.įigure 1. While the BLUELIGHT backdoor performs basic reconnaissance and evaluation of the compromised machine after exploitation, Dolphin is more sophisticated and manually deployed only against selected victims. We named this backdoor Dolphin based on a PDB path found in the executable. However, when analyzing the attack, we discovered through ESET telemetry a second, more sophisticated backdoor, deployed on selected victims via BLUELIGHT. In those reports, the BLUELIGHT backdoor was described as the attack’s final payload. The attack consisted of multiple components, including an Internet Explorer exploit and shellcode leading to a backdoor named BLUELIGHT, reported by Volexity and Kaspersky. In 2021, ScarCruft conducted a watering-hole attack on a South Korean online newspaper focused on North Korea. ScarCruft seems to be interested mainly in government and military organizations, and companies in various industries linked to the interests of North Korea. It primarily focuses on South Korea, but other Asian countries also have been targeted. ScarCruft, also known as APT37 or Reaper, is an espionage group that has been operating since at least 2012. A notable feature of earlier Dolphin versions we analyzed is the ability to modify the settings of victims’ signed-in Google and Gmail accounts to lower their security.Since the initial discovery of Dolphin in April 2021, ESET researchers have observed multiple versions of the backdoor, in which the threat actors improved the backdoor’s capabilities and made attempts to evade detection.The backdoor was used as the final payload of a multistage attack in early 2021, involving a watering-hole attack on a South Korean online newspaper, an Internet Explorer exploit, and another ScarCruft backdoor, named BLUELIGHT.Dolphin is deployed on selected targets only it searches the drives of compromised systems for interesting files and exfiltrates them to Google Drive.ESET researchers analyzed Dolphin, a previously unreported backdoor used by the ScarCruft APT group.We will present our findings about this new addition to ScarCruft’s toolset at the AVAR 2022 conference. ![]() In this blogpost, we provide a technical analysis of the Dolphin backdoor and explain its connection to previously documented ScarCruft activity. A notable feature of earlier Dolphin versions we analyzed is the ability to modify the settings of victims’ signed-in Google and Gmail accounts to lower their security, most likely to maintain access to victims’ email inboxes. In line with other ScarCruft tools, Dolphin abuses cloud storage services – specifically Google Drive – for C&C communication.ĭuring our investigation, we saw continued development of the backdoor and attempts by the malware authors to evade detection. Its functionality is reserved for selected targets, to which the backdoor is deployed after initial compromise using less advanced malware. The backdoor, which we named Dolphin, has a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots, and stealing credentials from browsers. ESET researchers have analyzed a previously unreported backdoor used by the ScarCruft APT group.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |