ESET
researchers
uncover
Dolphin,
a
sophisticated
backdoor
extending
the
arsenal
of
the
ScarCruft
APT
group
ESET
researchers
have
analyzed
a
previously
unreported
backdoor
used
by
the
ScarCruft
APT
group.
The
backdoor,
which
we
named
Dolphin,
has
a
wide
range
of
spying
capabilities,
including
monitoring
drives
and
portable
devices
and
exfiltrating
files
of
interest,
keylogging
and
taking
screenshots,
and
stealing
credentials
from
browsers.
Its
functionality
is
reserved
for
selected
targets,
to
which
the
backdoor
is
deployed
after
initial
compromise
using
less
advanced
malware.
In
line
with
other
ScarCruft
tools,
Dolphin
abuses
cloud
storage
services
–
specifically
Google
Drive
–
for
C&C
communication.
During
our
investigation,
we
saw
continued
development
of
the
backdoor
and
attempts
by
the
malware
authors
to
evade
detection.
A
notable
feature
of
earlier
Dolphin
versions
we
analyzed
is
the
ability
to
modify
the
settings
of
victims’
signed-in
Google
and
Gmail
accounts
to
lower
their
security,
most
likely
to
maintain
access
to
victims’
email
inboxes.
In
this
blogpost,
we
provide
a
technical
analysis
of
the
Dolphin
backdoor
and
explain
its
connection
to
previously
documented
ScarCruft
activity.
We
will
present
our
findings
about
this
new
addition
to
ScarCruft’s
toolset
at
the
AVAR
2022
conference.
Key
points
in
this
blogpost:
-
ESET
researchers
analyzed
Dolphin,
a
previously
unreported
backdoor
used
by
the
ScarCruft
APT
group. -
Dolphin
is
deployed
on
selected
targets
only;
it
searches
the
drives
of
compromised
systems
for
interesting
files
and
exfiltrates
them
to
Google
Drive. -
The
backdoor
was
used
as
the
final
payload
of
a
multistage
attack
in
early
2021,
involving
a
watering-hole
attack
on
a
South
Korean
online
newspaper,
an
Internet
Explorer
exploit,
and
another
ScarCruft
backdoor,
named
BLUELIGHT. -
Since
the
initial
discovery
of
Dolphin
in
April
2021,
ESET
researchers
have
observed
multiple
versions
of
the
backdoor,
in
which
the
threat
actors
improved
the
backdoor’s
capabilities
and
made
attempts
to
evade
detection. -
A
notable
feature
of
earlier
Dolphin
versions
we
analyzed
is
the
ability
to
modify
the
settings
of
victims’
signed-in
Google
and
Gmail
accounts
to
lower
their
security.
ScarCruft
profile
ScarCruft,
also
known
as
APT37
or
Reaper,
is
an
espionage
group
that
has
been
operating
since
at
least
2012.
It
primarily
focuses
on
South
Korea,
but
other
Asian
countries
also
have
been
targeted.
ScarCruft
seems
to
be
interested
mainly
in
government
and
military
organizations,
and
companies
in
various
industries
linked
to
the
interests
of
North
Korea.
Dolphin
overview
In
2021,
ScarCruft
conducted
a
watering-hole
attack
on
a
South
Korean
online
newspaper
focused
on
North
Korea.
The
attack
consisted
of
multiple
components,
including
an
Internet
Explorer
exploit
and
shellcode
leading
to
a
backdoor
named
BLUELIGHT,
reported
by
Volexity
and
Kaspersky.
In
those
reports,
the
BLUELIGHT
backdoor
was
described
as
the
attack’s
final
payload.
However,
when
analyzing
the
attack,
we
discovered
through
ESET
telemetry
a
second,
more
sophisticated
backdoor,
deployed
on
selected
victims
via
BLUELIGHT.
We
named
this
backdoor
Dolphin
based
on
a
PDB
path
found
in
the
executable.
While
the
BLUELIGHT
backdoor
performs
basic
reconnaissance
and
evaluation
of
the
compromised
machine
after
exploitation,
Dolphin
is
more
sophisticated
and
manually
deployed
only
against
selected
victims.
Both
backdoors
are
capable
of
exfiltrating
files
from
a
path
specified
in
a
command,
but
Dolphin
also
actively
searches
drives
and
automatically
exfiltrates
files
with
extensions
of
interest
to
ScarCruft.
Figure
1
provides
an
overview
of
the
attack
components
leading
to
the
execution
of
the
Dolphin
backdoor.
Figure
1.
Overview
of
the
attack
components
leading
to
the
execution
of
the
Dolphin
backdoor
Dolphin
analysis
Analysis
of
Dolphin’s
components
and
their
capabilities
is
provided
in
the
following
section.
The
analysis
is
based
on
the
first
version
of
the
backdoor
that
we
found,
1.9
(based
on
a
string
found
in
the
code)
with
additional
information
about
changes
in
newer
versions.
A
summarized
description
of
the
version
changes
can
be
found
in
the
Dolphin
evolution
section.
Dolphin
installer
Ensuing
sections
describe
the
installer
and
loader
components
responsible
for
the
execution
of
the
Dolphin
backdoor
in
the
analyzed
attack
scenario.
It
is
worth
noting
that
this
installer
and
the
deployed
loader
are
not
exclusive
to
Dolphin,
and
were
previously
seen
used
with
other
ScarCruft
malware.
The
installer
shellcode
follows
these
main
objectives:
-
Download
and
deploy
a
Python
interpreter -
Generate
and
deploy
a
loading
chain
with
its
payload -
Ensure
persistence
of
the
loading
chain
The
installer
downloads
a
CAB
file
from
OneDrive,
containing
a
legitimate
Python
2.7
interpreter.
The
CAB
is
unpacked
to
%APPDATA%,
and
depending
on
architecture,
the
interpreter
ends
up
in
one
of
the
following
directories:
-
%appdata%Python27(32) -
%appdata%Python27(64)
The
installer
generates
two
file
paths
for
loading-chain
components,
<loader_step_1>
and
<loader_encrypted_step_2>,
with
the
format
<base_dir><inf_name><dll_name>.
<base_dir>
is
randomly
selected
from
-
%PROGRAMDATA% -
%PUBLIC% -
%APPDATA%Microsoft -
%APPDATA%MicrosoftWindows -
%LOCALAPPDATA% -
%LOCALAPPDATA%Microsoft -
%LOCALAPPDATA%MicrosoftWindows
<inf_name>
and
<dll_name>
are
randomly
selected
from
existing
filenames
(without
extension)
in
%windir%inf*.inf
and
%windir%system32*.dll.
To
generate
Step
1
of
Loader,
it
uses
a
script
template
that
is
filled
with
randomly
generated
names
(variables,
function).
The
template
with
generated
example
is
shown
in
Figure
2.
Figure
2.
Step
1
template
and
generated
example
The
script
is
then
written
to
<loader_step_1>.
Step
2
(embedded
in
the
installer)
containing
the
rest
of
the
loading
chain,
including
the
payload,
is
encrypted
with
a
one-byte
XOR
key
derived
from
the
current
time
and
written
to
<loader_encrypted_step_2>.
In
order
to
persist
the
start
of
the
loading
chain,
the
installer
sets
a
Run
registry
value:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun<random_run_name>”%appdata%Python27({32|64})pythonw.exe”
“<loader_step_1>”
“<loader_encrypted_step_2>”
The
<random_run_name>
is
randomly
selected
from
existing
filenames
matching
%WINDIR%inf*.inf,
discarding
the
.inf
extension.
To
start
the
loading
chain
after
installation,
it
creates
a
one-time
scheduled
task.
Dolphin
loader
The
Dolphin
loader
consists
of
a
Python
script
and
shellcode.
Step
1,
the
Python
script,
reads
a
specified
file,
XOR-decrypts
its
contents,
and
executes
the
resulting
shellcode.
Step
2,
shellcode,
creates
a
host
process
(random
CLI
executable
from
%WINDIR%System32*.exe),
XOR-decrypts
further
shellcode
carried
within
itself,
and
injects
it
into
the
created
process.
Step
3,
another
shellcode,
XOR-decrypts
an
embedded
PE
file
–
the
Dolphin
backdoor
–
and
loads
and
executes
it
using
a
custom
PE
loader.
Dolphin
backdoor
Dolphin
is
a
backdoor
that
collects
information
and
executes
commands
issued
by
its
operators.
The
backdoor
is
a
regular
Windows
executable,
written
in
C++.
It
communicates
with
Google
Drive
cloud
storage,
which
is
used
as
its
C&C
server.
We
named
the
backdoor
Dolphin
based
on
a
PDB
path
found
in
the
executable:
D:DevelopmentBACKDOORDolphinx64ReleaseDolphin.pdb
Persistence
The
backdoor
periodically
checks
and
creates
its
own
persistence
by
making
sure
that
Step
1
of
the
loader
is
run
every
time
the
system
is
started,
via
a
registry
Run
value,
in
the
same
way
as
in
the
installer:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun<random_run_name>”%appdata%Python27({32|64})pythonw.exe”
“<loader_step_1>”
“<loader_encrypted_step_2>”
Capabilities
The
following
basic
information
about
the
computer
and
the
backdoor
is
collected:
-
Current
backdoor
configuration - Username
-
Computer
name -
Local
and
external
IP
address -
List
of
installed
security
products -
RAM
size
and
usage -
Result
of
check
for
debugger
and
other
inspection
tools
(such
as
Wireshark) -
OS
version -
Current
time -
Malware
version
Dolphin
downloads
commands,
issued
by
its
operators,
from
Google
Drive
storage
and
executes
them.
After
execution,
the
output
of
commands
is
uploaded.
Most
of
Dolphin’s
capabilities
are
controlled
through
commands.
The
most
relevant
capabilities
are
described
below.
File
exfiltration
By
default,
Dolphin
searches
all
non-fixed
drives
(USBs),
creates
directory
listings
and
exfiltrates
files
by
extension.
This
search
can
be
extended
to
fixed
drives
(HDDs),
via
dedicated
commands.
The
following
file
extensions
of
interest,
specific
to
media,
documents,
emails,
and
certificates,
are
specified
in
the
default
configuration:
jpg,
doc,
xls,
ppt,
hwp,
url,
csv,
pdf,
show,
cell,
eml,
odt,
rtf,
nxl,
amr,
3gp,
m4a,
txt,
msg,
key,
der,
cer,
docx,
xlsx,
pptx,
pfx,
mp3
Besides
this
automatic
search,
specific
files
can
be
exfiltrated.
In
the
newer
versions,
the
default
search
was
extended
to
fixed
drives.
The
command
to
get
specific
files
was
improved,
by
caching/storing
it
in
the
configuration
until
completion.
Portable
devices
Among
regular
drives,
Dolphin
also
searches
portable
devices
such
as
smartphones,
using
the
Windows
Portable
Device
(WPD)
API.
It
creates
directory
listings
and
exfiltrates
files.
This
functionality
appeared
to
be
under
development
in
the
first
version
we
found,
for
several
reasons:
-
Relying
on
a
hardcoded
path
with
a
username
that
likely
doesn’t
exist
on
the
victim’s
computer -
Missing
variable
initialization
–
some
variables
are
assumed
to
be
zero-initialized,
or
dereferenced
as
pointers
without
initialization -
Missing
extension
filtering
The
code
is
heavily
based
on
Microsoft’s
Portable
Devices
COM
API
code
sample.
Apart
from
automatic
search,
the
operators
can
specify
individual
files
to
be
exfiltrated
from
portable
devices.
In
newer
versions,
this
capability
was
finished
and
improved
by
adding
extension
filtering.
For
unknown
reasons,
the
command
to
retrieve
specific
files
from
portable
devices
was
removed.
Keylogging
and
screenshots
Dolphin
logs
keystrokes
for
windows
with
titles
containing
substrings
specified
in
its
configuration.
The
defaults
are
chrome
and
internet
explore
(sic).
This
is
done
via
the
GetAsyncKeyState
API,
with
keystrokes
being
logged
along
with
the
window
name
and
current
time.
Screenshots
are
also
taken
at
a
configurable
interval;
the
default
is
once
every
30
seconds.
Screenshots
and
keylogging
are
enabled
by
default,
and
can
be
toggled
via
a
command.
Shellcode
Dolphin
can
receive
shellcode
for
execution.
The
shellcode
is
stored
in
the
registry,
under
one
of
the
following
keys:
-
HKCUSoftwareMicrosoftWindowsCurrentVersionThemesClassic<random_number> -
HKCUSoftwareMicrosoftOneDriveUpdate<random_number> -
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet
SettingsHttpsSoftwareMicrosoftInternet
ExplorerZone<random_number>
(two
subkeys
as
one,
likely
a
coding
error)
It
can
be
executed
either
locally
or
in
a
specified
separate
process
that
is
created
and
injected.
In
the
newer
versions,
the
shellcode
is
stored
in
files
instead
of
the
registry,
and
the
stored
shellcode
is
loaded
and
executed
on
Dolphin’s
startup,
which
was
not
the
case
in
version
1.9
(the
original
version
we
analyzed).
Shell
commands
Dolphin
can
execute
shell
commands;
this
is
done
via
the
popen
API
and
their
output
is
retrieved.
Stealing
credentials
Dolphin
can
retrieve
credentials
from
browsers
in
the
form
of
saved
passwords
and
cookies.
The
following
browsers
are
supported:
-
Chrome -
Edge -
Internet
Explorer
In
version
2.2,
this
capability
was
removed,
presumably
to
avoid
detection.
It
was
later
restored
in
version
3.0,
but
in
a
different
form.
It
is
now
dynamically
received
from
the
C&C
in
the
form
of
shellcode.
Google
account
Another
one
of
Dolphin’s
commands
modifies
the
settings
of
the
currently
logged-in
Google
account,
lowering
its
security
relative
to
default
settings.
It
steals
the
existing
cookie
of
the
logged-in
account
from
the
browser
and
crafts
requests
that
modify
the
settings.
First,
it
enables
access
to
Gmail
via
the
IMAP
protocol
by
sending
an
HTTP
POST
request
to:
-
https://mail.google.com/mail/u/0/?ik=<GM_ID_KEY>&at=<GM_ACTION_TOKEN>&view=up&act=prefs
Then
it
enables
“less
secure
app
access”
by
sending
an
undocumented
RPC
request
via
an
HTTP
POST
to:
-
https://myaccount.google.com/_/AccountSettingsUi/data/batchexecute
These
modifications
are
referred
to
as
“thunder
access”
in
the
backdoor,
likely
being
a
reference
to
the
Thunderbird
email
client.
Accessing
their
victims’
inboxes
with
a
third-party
client
via
IMAP
probably
helps
ScarCruft
operators
maintain
access
to
the
victims’
emails
after
stealing
credentials,
which
may
not
be
enough
on
their
own,
due
to
Google’s
detection
of
suspicious
login
attempts.
This
feature
was
found
in
versions
1.9
and
2.0
of
the
backdoor;
it
is
not
present
in
versions
2.2
or
3.0.
Data
staging
Dolphin
exfiltrates
data
to
Google
Drive
storage,
staging
the
data
in
encrypted
ZIP
archives
before
upload.
The
backdoor
also
maintains
a
list
of
files
in
the
form
of
MD5
hashes,
in
order
to
avoid
uploading
the
same
file
multiple
times.
This
list
can
be
reset
via
a
dedicated
command.
Configuration
The
backdoor
contains
an
initial
default
configuration
that
is
persisted
on
first
run
and
loaded
on
subsequent
runs.
It
is
stored
in
the
file
%ProgramData%<variable_cfg_name>.inf,
where
<variable_cfg_name>
is
randomly
selected
from
existing
filenames
matching
%windir%inf*.inf.
The
content
is
encrypted
using
AES
CBC
with
random
16-byte
keys
and
IVs,
which
are
stored
at
the
file’s
beginning.
The
configuration
uses
JSON
format,
with
hash-like
keys.
An
example
of
a
decrypted
configuration
is
shown
in
Figure
3.
Figure
3.
Dolphin
backdoor
configuration
The
configuration
can
be
modified
through
commands.
It
contains,
among
others,
the
following:
-
Encryption
keys -
Credentials
for
Google
Drive
API
access -
Window
titles
to
keylog -
List
of
file
extensions
to
exfiltrate
Dolphin
evolution
Since
the
initial
discovery
of
Dolphin
in
April
2021,
we
have
observed
multiple
versions
of
the
backdoor,
in
which
the
threat
actors
improved
the
backdoor’s
capabilities
and
made
attempts
to
evade
detection.
Figure
4
summarizes
the
versions
seen;
a
more
detailed
description
of
the
version
changes
is
provided
below.
Figure
4.
Dolphin
evolution
timeline
November
2021
–
version
2.0
Version
2.0
introduced
the
following
changes
to
the
version
found
in
April
2021:
-
Dynamic
resolution
of
suspicious
APIs
instead
of
static
imports
(for
example
GetAsyncKeyState)
added -
Shellcode
capability
finished
and
improved-
Persisted
shellcode
stored
in
files
instead
of
registry -
Persisted
shellcode
loaded
and
executed
on
Dolphin
startup
(previously
missing)
-
Persisted
-
Portable
device
file
exfiltration
capability
finished
and
improved-
Exfiltration
by
extensions
added -
Recognition
of
internal
memory
and
SD
cards
(from
device
ID)
added -
Command
to
get
files
from
portable
devices
effectively
a
NOP
-
Exfiltration
-
Device/drive
detection
and
file
exfiltration
improved-
Dolphin
now
unconditionally
creates
directory
listings
and
exfiltrates
files
by
extension
every
30
minutes
for
all
drives
and
devices
(fixed
drives,
removable
drives,
portable
devices).
Previously,
it
was
just
for
removable
drives;
fixed
drives
were
disabled
by
default
and
the
code
used
for
accessing
portable
devices
was
buggy
and
broken.
-
Dolphin
December
2021
–
version
2.2
Changes
introduced
in
version
2.2
focused
mainly
on
detection
evasion.
The
credential-stealing
capability
and
commands
related
to
it
–
the
credential
stealing
and
Google
account
commands
–
were
removed.
Most
strings
in
this
version
are
base64
encoded.
January
2022
–
version
3.0
In
version
3.0,
the
code
was
reorganized
and
classes
renamed,
with
capabilities
remaining
unchanged.
The
base64-encoded
strings
were
plaintext
again
in
this
version.
We
observed
the
following
additional
changes:
-
Command
to
steal
credentials
restored
in
a
different
form;
it
now
executes
shellcode
from
the
C&C -
Command
to
get
files
from
portable
devices
completely
removed -
Command
to
get
files
from
drives
is
now
cached/stored
in
the
configuration
until
completion.
If
interrupted
(for
example
by
computer
shutdown),
it
is
done
on
the
next
run.
This
is
also
useful
in
the
case
of
removable
drives
that
may
not
be
connected
when
the
command
is
issued. -
Internet
connection
check
added
(https://www.microsoft.com);
no
malicious
code
is
executed
if
offline
The
differences
between
versions
2.2
and
3.0,
especially
the
discrepancy
in
string
encoding,
suggest
the
possibility
that
the
versions
were
being
developed
in
parallel
by
different
people.
Conclusion
Dolphin
is
another
addition
to
ScarCruft’s
extensive
arsenal
of
backdoors
abusing
cloud
storage
services.
After
being
deployed
on
selected
targets,
it
searches
the
drives
of
compromised
systems
for
interesting
files
and
exfiltrates
them
to
Google
Drive.
One
unusual
capability
found
in
prior
versions
of
the
backdoor
is
the
ability
to
modify
the
settings
of
victims’
Google
and
Gmail
accounts
to
lower
their
security,
presumably
in
order
to
maintain
account
access
for
the
threat
actors.
During
our
analysis
of
multiple
versions
of
the
Dolphin
backdoor,
we
saw
continued
development
and
attempts
to
evade
detection.
For
any
inquiries
about
our
research
published
on
WeLiveSecurity,
please
contact
us
at threatintel@eset.com.
ESET
Research
also
offers
private
APT
intelligence
reports
and
data
feeds.
For
any
inquiries
about
this
service,
visit
the ESET
Threat
Intelligence page.
IoCs
| SHA-1 | Filename | ESET detection name | Description |
|---|---|---|---|
|
F9F6C0184CEE9C1E4E15C2A73E56D7B927EA685B |
N/A | Win64/Agent.MS | Dolphin backdoor version 1.9 (x64) |
|
5B70453AB58824A65ED0B6175C903AA022A87D6A |
N/A | Win32/Spy.Agent.QET | Dolphin backdoor version 2.0 (x86) |
|
21CA0287EC5EAEE8FB2F5D0542E378267D6CA0A6 |
N/A | Win64/Agent.MS | Dolphin backdoor version 2.0 (x64) |
|
D9A369E328EA4F1B8304B6E11B50275F798E9D6B |
N/A | Win32/Agent.UYO | Dolphin backdoor version 3.0 (x86) |
|
2C6CC71B7E7E4B28C2C176B504BC5BDB687C4D41 |
N/A | Win64/Agent.MS | Dolphin backdoor version 3.0 (x64) |
MITRE
ATT&CK
techniques
This
table
was
built
using
version
12
of
the
MITRE
ATT&CK
framework.
| Tactic | ID | Name | Description |
|---|---|---|---|
|
Initial Access |
T1189 |
Drive-by Compromise |
ScarCruft uses watering-hole attacks to compromise victims. |
| Execution |
T1059.006 |
Command and Scripting Interpreter: Python |
The Dolphin loader a uses Python script. |
|
T1059.007 |
Command and Scripting Interpreter: JavaScript |
ScarCruft used malicious JavaScript for a watering-hole attack. |
|
|
T1203 |
Exploitation for Client Execution |
ScarCruft exploits CVE-2020-1380 to compromise victims. |
|
|
T1106 |
Native API |
Dolphin uses Windows API functions to execute files and inject processes. |
|
| Persistence |
T1053.005 |
Scheduled Task/Job: Scheduled Task |
Dolphin uses a temporary scheduled task to start after installation. |
|
T1547.001 |
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Dolphin uses Run keys for persistence of its loader. |
|
|
Defense Evasion |
T1055.002 |
Process Injection: Portable Executable Injection |
Dolphin can inject into other processes. |
|
T1027 |
Obfuscated Files or Information |
Dolphin has encrypted components. |
|
|
Credential Access |
T1555.003 |
Credentials from Password Stores: Credentials from Web Browsers |
Dolphin can obtain saved passwords from browsers. |
|
T1539 |
Steal Web Session Cookie |
Dolphin can obtain cookies from browsers. |
|
| Discovery |
T1010 |
Application Window Discovery |
Dolphin captures the title of the active window. |
|
T1083 |
File and Directory Discovery |
Dolphin can obtain file and directory listings. |
|
|
T1518.001 |
Software Discovery: Security Software Discovery |
Dolphin obtains a list of installed security software. |
|
|
T1082 |
System Information Discovery |
Dolphin obtains various system information including OS version, computer name and RAM size. |
|
|
T1016 |
System Network Configuration Discovery |
Dolphin obtains the device’s local and external IP address. |
|
|
T1016.001 |
System Network Configuration Discovery: Internet Connection Discovery |
Dolphin checks internet connectivity. |
|
|
T1033 |
System Owner/User Discovery |
Dolphin obtains the victim’s username. |
|
|
T1124 |
System Time Discovery |
Dolphin obtains the victim’s current time. |
|
| Collection |
T1056.001 |
Input Capture: Keylogging |
Dolphin can log keystrokes. |
|
T1560.002 |
Archive Collected Data: Archive via Library |
Using the Zipper library, Dolphin compresses and encrypts collected data before exfiltration. |
|
|
T1119 |
Automated Collection |
Dolphin periodically collects files with certain extensions from drives. |
|
|
T1005 |
Data from Local System |
Dolphin can collect files from local drives. |
|
|
T1025 |
Data from Removable Media |
Dolphin can collect files from removable drives. |
|
|
T1074.001 |
Data Staged: Local Data Staging |
Dolphin stages collected data in a directory before exfiltration. |
|
|
T1113 |
Screen Capture |
Dolphin can capture screenshots. |
|
|
Command and Control |
T1071.001 |
Application Layer Protocol: Web Protocols |
Dolphin uses HTTPS to communicate with Drive. |
|
T1102.002 |
Web Service: Bidirectional Communication |
Dolphin communicates with Drive to download commands and exfiltrate data. |
|
| Exfiltration |
T1020 |
Automated Exfiltration |
Dolphin periodically exfiltrates collected data. |
|
T1567.002 |
Exfiltration Over Web Service: Exfiltration to Cloud Storage |
Dolphin exfiltrates data to Drive. |
