For many security firms, the dangers posed by nation-state threat actors plot the course for the dangers they face from financially motivated threat actors shortly. One such course has been potentially plotted with the discovery that a newly discovered Windows malware that acts like a backdoor is being used by North Korean state-sponsored hackers in a highly targeted campaign to steal files and send them to Google Drive storage. What’s more, is that data can also be stolen from any mobile device connected to the Windows machine.
ESET researchers summarised the backdoor’s capabilities as,
“Dolphin, has a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots and stealing credentials from browsers. Its functionality is reserved for selected targets, to which the backdoor is deployed after initial compromise using less advanced malware. In line with other ScarCruft tools, Dolphin abuses cloud storage services – specifically Google Drive – for C&C communication.”
According to security researchers, Dolphin was discovered in an attack against a South Korean online newspaper focused on North Korea. Typically the attack consisted of multiple components, including an Internet Explorer exploit and shellcode leading to a backdoor named BLUELIGHT, which was described by Kaspersky security researchers.
Previous analysis of the BLUELIGHT backdoor assumed it was the final payload. However, based on ESET’s research the final payload is the newly discovered Dolphin backdoor.
Researchers believe that BLUELIGHT is used to conduct basic reconnaissance on targeted machines with Dolphin being the more sophisticated of the two, used for exfiltration of data.
Exfiltration of data can be done either manually or automatically while it actively searches for hard drives containing data worth stealing.
BLUELIGHT initiates the dropping of Dolphin by installing a Python loader which includes a script and shellcode, launching a multi-step XOR-decryption which includes process creation.
The installation eventually results in the execution of the Dolphin payload in a newly created memory process. Dolphin is fundamentally a C++ executable that makes use of Google Drive as a command-and-control server and to store stolen files.
Persistence is achieved by modifying the Windows Registry. Other features of the malware include:
- Computer name
- Local and external IP address
- Installed security software
- RAM size and usage
- Presence of debugging or network packet inspection tools
- OS version
Connected Devices are not Safe
Perhaps the most interesting and alarming function of Dolphin is its ability to steal data from mobile phones connected to the infected Windows machine. It does this by abusing the Windows Portable Device API.
Before all the alarm bells are rung, ESET researchers believe that this feature is still currently under development, however, administrators should still be made aware that this is possible and should take measures to harden their IT infrastructure.
Researchers determined the feature was still under development based on several factors including the use of a hardcoded path with a username that likely doesn’t exist on the victim’s computer; missing variable initialization meaning that some variables are assumed to be zero, or dereferenced as pointers without initialization; and, missing extension filtering was present in the code sample.
One of the more interesting aspects of this feature under development is the ability to lower the security of a victim's Google account by changing related settings.
This can possibly be used by the attackers to keep their access to the victim's account for a longer period. Researchers discovered three versions of Dolphin, with the feature to access the victim’s Google setting being removed in later versions, possibly due to Google's ability to detect and prevent malicious access to user accounts.
While it looks like the feature has been abandoned, it can be said with any certainty that this feature will not crop up again in later versions that might be in the wild at the time of writing.
ESET Researchers concluded,
“Dolphin is another addition to ScarCruft’s extensive arsenal of backdoors abusing cloud storage services. After being deployed on selected targets, it searches the drives of compromised systems for interesting files and exfiltrates them to Google Drive. One unusual capability found in prior versions of the backdoor is the ability to modify the settings of victims’ Google and Gmail accounts to lower their security, presumably in order to maintain account access for the threat actors. During our analysis of multiple versions of the Dolphin backdoor, we saw continued development and attempts to evade detection.”
While the ability to steal data from connected mobile devices is still in development one can safely bet that other malware developers have either taken inspiration from this or developed their features to perform a similar job.
It is often the well-resourced state-sponsored groups that plot the future of malware development and the ability to steal data from connected phones may be the next must-have feature for malware-as-a-service providers.