Windows Malware Can Steal Data from Mobile Phones

For many security firms, the dangers posed by nation-state threat actors plot the course for the dangers they face from financially motivated threat actors shortly. One such course has been potentially plotted with the discovery that a newly discovered Windows malware that acts like a backdoor is being used by North Korean state-sponsored hackers in a highly targeted campaign to steal files and send them to Google Drive storage. What’s more, is that data can also be stolen from any mobile device connected to the Windows machine.

According to a new report published by ESET, the North Korean state-sponsored group ScarCruft, who are also tracked APT37, has developed a new backdoor which ESET calls Dolphin.

windows malware capable of stealing data from mobile devices 

ESET researchers summarised the backdoor’s capabilities as,

“Dolphin, has a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots and stealing credentials from browsers. Its functionality is reserved for selected targets, to which the backdoor is deployed after initial compromise using less advanced malware. In line with other ScarCruft tools, Dolphin abuses cloud storage services – specifically Google Drive – for C&C communication.”

According to security researchers, Dolphin was discovered in an attack against a South Korean online newspaper focused on North Korea. Typically the attack consisted of multiple components, including an Internet Explorer exploit and shellcode leading to a backdoor named BLUELIGHT, which was described by Kaspersky security researchers.

Previous analysis of the BLUELIGHT backdoor assumed it was the final payload. However, based on ESET’s research the final payload is the newly discovered Dolphin backdoor.

Researchers believe that BLUELIGHT is used to conduct basic reconnaissance on targeted machines with Dolphin being the more sophisticated of the two, used for exfiltration of data.

Exfiltration of data can be done either manually or automatically while it actively searches for hard drives containing data worth stealing.

BLUELIGHT initiates the dropping of Dolphin by installing a Python loader which includes a script and shellcode, launching a multi-step XOR-decryption which includes process creation.

The installation eventually results in the execution of the Dolphin payload in a newly created memory process. Dolphin is fundamentally a C++ executable that makes use of Google Drive as a command-and-control server and to store stolen files.

Persistence is achieved by modifying the Windows Registry. Other features of the malware include:

  • Username
  • Computer name
  • Local and external IP address
  • Installed security software
  • RAM size and usage
  • Presence of debugging or network packet inspection tools
  • OS version

Connected Devices are not Safe

Perhaps the most interesting and alarming function of Dolphin is its ability to steal data from mobile phones connected to the infected Windows machine. It does this by abusing the Windows Portable Device API.

Before all the alarm bells are rung, ESET researchers believe that this feature is still currently under development, however, administrators should still be made aware that this is possible and should take measures to harden their IT infrastructure.

Researchers determined the feature was still under development based on several factors including the use of a hardcoded path with a username that likely doesn’t exist on the victim’s computer; missing variable initialization meaning that some variables are assumed to be zero, or dereferenced as pointers without initialization; and, missing extension filtering was present in the code sample.

One of the more interesting aspects of this feature under development is the ability to lower the security of a victim's Google account by changing related settings.

This can possibly be used by the attackers to keep their access to the victim's account for a longer period. Researchers discovered three versions of Dolphin, with the feature to access the victim’s Google setting being removed in later versions, possibly due to Google's ability to detect and prevent malicious access to user accounts.

While it looks like the feature has been abandoned, it can be said with any certainty that this feature will not crop up again in later versions that might be in the wild at the time of writing.

ESET Researchers concluded,

“Dolphin is another addition to ScarCruft’s extensive arsenal of backdoors abusing cloud storage services. After being deployed on selected targets, it searches the drives of compromised systems for interesting files and exfiltrates them to Google Drive. One unusual capability found in prior versions of the backdoor is the ability to modify the settings of victims’ Google and Gmail accounts to lower their security, presumably in order to maintain account access for the threat actors. During our analysis of multiple versions of the Dolphin backdoor, we saw continued development and attempts to evade detection.”

While the ability to steal data from connected mobile devices is still in development one can safely bet that other malware developers have either taken inspiration from this or developed their features to perform a similar job.

It is often the well-resourced state-sponsored groups that plot the future of malware development and the ability to steal data from connected phones may be the next must-have feature for malware-as-a-service providers.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal