A new Windows malware steals data from connected smartphones

A new Windows malware steals data from connected smartphones

ESET researchers have discovered a new backdoor called Dolphin and used by hacker group APT 37 in highly targeted attack campaigns. In fact, the group has been associated with espionage activities on behalf of North Korea since 2012.

Dolphin had already been observed in 2021 and has since undergone a certain evolution, with an improvement of the code and of anti-detection systems. This backdoor was used together with BLUELIGHT , a tool already employed by APT37, the new version of which integrates more effective data theft capabilities: from collecting passwords from browsers to creating screenshots, including a keylogger function.

Overview of the attack leading to the execution of the Dolphin backdoor - Source: ESET In this case, BLUELIGHT is used to launch the Dolphin Python loader on the affected systems, while maintaining a reduced role in the espionage arena. The loader includes a script and shell code, for running the Dolphin payload inside a specially created memory process.

Basically, Dolphin is a C++ executable that uses Google Drive as a C2 server for storing stolen files. Once a machine is infected, Dolphin collects data such as username, computer name, local and external IP addresses, installed security software, RAM size and usage, presence of debugging or network packet analysis tools, version of the operating system.

The backdoor sends the current configuration, version number and timestamp to the C2. The configuration contains instructions for keylogging and exfiltration, as well as credentials for accessing the Google Drive API and encryption keys.

Dolphin receives commands uploaded to Google Drive and then uploads the results obtained from their execution. The malware can then scan local and removable drives for various types of data which is then stored and sent to Drive.

These capabilities extend to any smartphone connected to the compromised host via the Windows Portable Device API. So the malware is also able to steal, store and send data from connected smartphones to Drive.

Hackers would be able to maintain the victim's account permanence as it seems they are able to change the protection level of affected Google accounts as well, and Dolphin logs keystrokes on Google Chrome via the GetAsyncKeyState API, with the possibility to create a snapshot of the active window every 30 seconds.

According to ESET researchers, this malware was used in a watering-hole attack against a South Korean news organization which reported news on North Korea-related activities and events.

You can read ESET's full report here.