• Researchers from ESET discovered a new backdoor named Dolphin, a previously unreported backdoor used by the ScarCruft APT group.
• Dolphin is used on selected targets only and searches the drives of compromised systems for interesting files and exfiltrates them to Google Drive.
• Dolphin was used as the final payload of a combined attack in early 2021, involving a watering-hole attack on a South Korean online newspaper, an Internet Explorer exploits, and another ScarCruft backdoor named Bluelight.

The cyber security team from ESET unveiled a new, sophisticated backdoor called Dolphin while investigating another backdoor known as Bluelight. The research report was published in a blog post to give insights into how newfound backdoor Dolphin performs.

The targets are mainly from South Korea

The ESET cyber security team discovered that the Dolphin backdoor was used by the ScarCruft APT group. This group is also known as APT37 or Reaper. It mainly focuses on victims from South Korea as well as some other Asian countries that also faced attacks from them. The researchers state that Dolphin was used as the final payload of a multistage attack in early 2021 which was involving a watering-hole attack on a South Korean online newspaper, an Internet Explorer exploits with another ScarCruft backdoor named Bluelight. Bluelight previously was reported by Volexity and Kaspersky.

Dolphin is more sophisticated

ESET researchers say while Bluelight performs basic surveillance on their victims, Dolphin actively digs in the drives of compromised systems for files of interest and exfiltrates them to Google Drive. Other capabilities of Dolphin are including keylogging, taking screenshots, and stealing credentials from browsers. According to analysis, some Dolphin versions can reduce the security of signed-in Gmail accounts most probably to keep its access to victims’ inboxes. For this, the backdoor steals the existing cookie of the logged-in account from the browser and crafts requests modifying the settings. The blog post states;

« Dolphin is a backdoor that collects information and executes commands issued by its operators. The backdoor is a regular Windows executable, written in C++. It communicates with Google Drive cloud storage, which is used as its C&C server. We named the backdoor Dolphin based on a PDB path found in the executable: D:\Development\BACKDOOR\Dolphin\x64\Release\Dolphin.pdb »

The research group has found that Dolphin has improved the backdoor’s capabilities since its initial discovery in April 2021. Currently, Dolphin is capable of collecting current backdoor configuration, username, computer name, local and external IP address, list of installed security products, RAM size and usage, the result of check for debugger and other inspection tools (such as Wireshark), OS version, current time, and malware version. ESET research team adds that Dolphin is another addition to ScarCruft’s extensive arsenal of backdoors that abuses cloud storage services.