Who’s swimming in South Korean waters? Meet ScarCruft’s Dolphin

ESET researchers analyzed Dolphin, a previously unreported backdoor used by ScarCruft (APT37) that operatives deploy on select targets to exfiltrate files, log keystrokes, take screenshots, and steal browser credentials, using Google Drive for C2. The Dolphin backdoor has evolved across versions since 2021, with added evasion techniques and the ability to modify Google/Gmail account settings to lower security.
#DolphinBackdoor #ScarCruft

Keypoints

ESET analyzed Dolphin, a backdoor used by ScarCruft (APT37), with Google Drive as its C2 channel.
Dolphin targets are selected; it searches drives and portable devices for files and exfiltrates them to Google Drive.
The backdoor appeared as the final payload in a multistage 2021 attack that included a watering-hole attack on a South Korean online newspaper, an Internet Explorer exploit, and the BLUELIGHT backdoor.
Since its discovery, multiple Dolphin versions emerged, with improved capabilities and detection-evasion efforts.
Earlier versions could modify victims’ Google/Gmail account settings to lower security, aiding persistent access.
Dolphin architecture includes an installer that downloads a Python interpreter from OneDrive, a loader chain, and Run-based persistence, followed by a separate Dolphin backdoor payload.
Core capabilities cover file exfiltration, portable device access, keylogging, screenshots, browser credential theft, Google account manipulation, and data staging to Google Drive.

MITRE Techniques

[T1189] Drive-by Compromise – ScarCruft uses watering-hole attacks to compromise victims. “ScarCruft uses watering-hole attacks to compromise victims.”
[T1059.006] Command and Scripting Interpreter: Python – The Dolphin loader a uses Python script. “The Dolphin loader a uses Python script.”
[T1059.007] Command and Scripting Interpreter: JavaScript – ScarCruft used malicious JavaScript for a watering-hole attack. “ScarCruft used malicious JavaScript for a watering-hole attack.”
[T1203] Exploitation for Client Execution – ScarCruft exploits CVE-2020-1380 to compromise victims. “ScarCruft exploits CVE-2020-1380 to compromise victims.”
[T1106] Native API – Dolphin uses Windows API functions to execute files and inject processes. “Dolphin uses Windows API functions to execute files and inject processes.”
[T1053.005] Scheduled Task – Dolphin uses a temporary scheduled task to start after installation. “Dolphin uses a temporary scheduled task to start after installation.”
[T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Dolphin uses Run keys for persistence of its loader. “Dolphin uses Run keys for persistence of its loader.”
[T1055.002] Process Injection: Portable Executable Injection – Dolphin can inject into other processes. “Dolphin can inject into other processes.”
[T1027] Obfuscated Files or Information – Dolphin has encrypted components. “Dolphin has encrypted components.”
[T1555.003] Credentials from Password Stores: Credentials from Web Browsers – Dolphin can obtain saved passwords from browsers. “Dolphin can obtain saved passwords from browsers.”
[T1539] Steal Web Session Cookie – Dolphin can obtain cookies from browsers. “Dolphin can obtain cookies from browsers.”
[T1010] Application Window Discovery – Dolphin captures the title of the active window. “Dolphin captures the title of the active window.”
[T1083] File and Directory Discovery – Dolphin can obtain file and directory listings. “Dolphin can obtain file and directory listings.”
[T1518.001] Software Discovery: Security Software Discovery – Dolphin obtains a list of installed security software. “Dolphin obtains a list of installed security software.”
[T1082] System Information Discovery – Dolphin obtains OS version, computer name and RAM size. “Dolphin obtains various system information including OS version, computer name and RAM size.”
[T1016] System Network Configuration Discovery – Dolphin obtains local and external IP address. “Dolphin obtains the device’s local and external IP address.”
[T1016.001] System Network Configuration Discovery: Internet Connection Discovery – Dolphin checks internet connectivity. “Dolphin checks internet connectivity.”
[T1033] System Owner/User Discovery – Dolphin obtains the victim’s username. “Dolphin obtains the victim’s username.”
[T1124] System Time Discovery – Dolphin obtains the victim’s current time. “Dolphin obtains the victim’s current time.”
[T1056.001] Input Capture: Keylogging – Dolphin can log keystrokes. “Dolphin can log keystrokes.”
[T1560.002] Archive Collected Data: Archive via Library – Using the Zipper library, Dolphin compresses and encrypts collected data before exfiltration. “Using the Zipper library, Dolphin compresses and encrypts collected data before exfiltration.”
[T1119] Automated Collection – Dolphin periodically collects files with certain extensions from drives. “Dolphin periodically collects files with certain extensions from drives.”
[T1005] Data from Local System – Dolphin can collect files from local drives. “Dolphin can collect files from local drives.”
[T1025] Data from Removable Media – Dolphin can collect files from removable drives. “Dolphin can collect files from removable drives.”
[T1074.001] Data Staged: Local Data Staging – Dolphin stages collected data in a directory before exfiltration. “Dolphin stages collected data in a directory before exfiltration.”
[T1113] Screen Capture – Dolphin can capture screenshots. “Dolphin can capture screenshots.”
[T1071.001] Web Protocols – Dolphin uses HTTPS to communicate with Google Drive. “Dolphin uses HTTPS to communicate with Google Drive.”
[T1102.002] Web Service: Bidirectional Communication – Dolphin communicates with Google Drive to download commands and exfiltrate data. “Dolphin communicates with Google Drive to download commands and exfiltrate data.”
[T1020] Automated Exfiltration – Dolphin periodically exfiltrates collected data. “Dolphin periodically exfiltrates collected data.”
[T1567.002] Exfiltration to Cloud Storage – Dolphin exfiltrates data to Google Drive. “Dolphin exfiltrates data to Google Drive.”

Indicators of Compromise

[SHA-1] Content hashes – F9F6C0184CEE9C1E4E15C2A73E56D7B927EA685B, and 5B70453AB58824A65ED0B6175C903AA022A87D6A (Dolphin backdoor samples, versions 1.9–2.0)

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print