# Who’s swimming in South Korean waters? Meet ScarCruft’s Dolphin **[welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin/](https://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin/)** November 30, 2022 ESET researchers uncover Dolphin, a sophisticated backdoor extending the arsenal of the ScarCruft APT group [Filip Jurčacko](https://www.welivesecurity.com/author/fjurcacko/) 30 Nov 2022 - 11:30AM ESET researchers uncover Dolphin, a sophisticated backdoor extending the arsenal of the ScarCruft APT group ESET researchers have analyzed a previously unreported backdoor used by the ScarCruft APT group. The backdoor, which we named Dolphin, has a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots, and stealing credentials from browsers. Its functionality is reserved for selected targets, to which the backdoor is deployed after initial compromise using less advanced malware. In line with other ScarCruft tools, Dolphin abuses cloud storage services – specifically Google Drive – for C&C communication. During our investigation, we saw continued development of the backdoor and attempts by the malware authors to evade detection. A notable feature of earlier Dolphin versions we analyzed is the ability to modify the settings of victims’ signed-in Google and Gmail accounts to lower their security, most likely to maintain access to victims’ email inboxes. In this blogpost, we provide a technical analysis of the Dolphin backdoor and explain its connection to previously documented ScarCruft activity. We will present our findings about this new addition to ScarCruft’s toolset at the [AVAR 2022 conference.](https://aavar.org/cybersecurity-conference/index.php/whos-swimming-in-south-korean-waters-meet-scarcrufts-dolphin/) **Key points in this blogpost:** ESET researchers analyzed Dolphin, a previously unreported backdoor used by the ScarCruft APT group. Dolphin is deployed on selected targets only; it searches the drives of compromised systems for interesting files and exfiltrates them to Google Drive. The backdoor was used as the final payload of a multistage attack in early 2021, involving a wateringhole attack on a South Korean online newspaper, an Internet Explorer exploit, and another ScarCruft backdoor, named BLUELIGHT. ----- Since the initial discovery of Dolphin in April 2021, ESET researchers have observed multiple versions of the backdoor, in which the threat actors improved the backdoor’s capabilities and made attempts to evade detection. A notable feature of earlier Dolphin versions we analyzed is the ability to modify the settings of victims’ signed-in Google and Gmail accounts to lower their security. ## ScarCruft profile ScarCruft, also known as APT37 or Reaper, is an espionage group that has been operating since at least 2012. It primarily focuses on South Korea, but other Asian countries also have been targeted. ScarCruft seems to be interested mainly in government and military organizations, and companies in various industries linked to the interests of North Korea. ## Dolphin overview In 2021, ScarCruft conducted a watering-hole attack on a South Korean online newspaper focused on North Korea. The attack consisted of multiple components, including an Internet Explorer exploit and shellcode leading to a backdoor named BLUELIGHT, reported by [Volexity and](https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/) [Kaspersky.](https://securelist.com/apt-trends-report-q2-2021/103517/) In those reports, the BLUELIGHT backdoor was described as the attack’s final payload. However, when analyzing the attack, we discovered through ESET telemetry a second, more sophisticated backdoor, deployed on selected victims via BLUELIGHT. We named this backdoor Dolphin based on a PDB path found in the executable. While the BLUELIGHT backdoor performs basic reconnaissance and evaluation of the compromised machine after exploitation, Dolphin is more sophisticated and manually deployed only against selected victims. Both backdoors are capable of exfiltrating files from a path specified in a command, but Dolphin also actively searches drives and automatically exfiltrates files with extensions of interest to ScarCruft. Figure 1 provides an overview of the attack components leading to the execution of the Dolphin backdoor. ----- _Figure 1. Overview of the attack components leading to the execution of the Dolphin backdoor_ ----- ## Dolphin analysis Analysis of Dolphin’s components and their capabilities is provided in the following section. The analysis is based on the first version of the backdoor that we found, 1.9 (based on a string found in the code) with additional information about changes in newer versions. A summarized description of the version changes can be found in the Dolphin evolution section. ### Dolphin installer Ensuing sections describe the installer and loader components responsible for the execution of the Dolphin backdoor in the analyzed attack scenario. It is worth noting that this installer and the deployed loader are not exclusive to Dolphin, and were previously seen used with other ScarCruft malware. The installer shellcode follows these main objectives: Download and deploy a Python interpreter Generate and deploy a loading chain with its payload Ensure persistence of the loading chain The installer downloads a CAB file from OneDrive, containing a legitimate Python 2.7 interpreter. The CAB is unpacked to %APPDATA%, and depending on architecture, the interpreter ends up in one of the following directories: %appdata%\Python27(32)\ %appdata%\Python27(64)\ The installer generates two file paths for loading-chain components, and , with the format \\. is randomly selected from %PROGRAMDATA% %PUBLIC% %APPDATA%\Microsoft %APPDATA%\Microsoft\Windows %LOCALAPPDATA% %LOCALAPPDATA%\Microsoft %LOCALAPPDATA%\Microsoft\Windows and are randomly selected from existing filenames (without extension) in %windir%\inf\*.inf and %windir%\system32\*.dll. To generate Step 1 of Loader, it uses a script template that is filled with randomly generated names (variables, function). The template with generated example is shown in Figure 2. ----- _Figure 2. Step 1 template and generated example_ The script is then written to . Step 2 (embedded in the installer) containing the rest of the loading chain, including the payload, is encrypted with a one-byte XOR key derived from the current time and written to . In order to persist the start of the loading chain, the installer sets a Run registry value: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ \”%appdata%\Python27({32|64})\pythonw.exe” “” “” The is randomly selected from existing filenames matching %WINDIR%\inf\*.inf, discarding the .inf extension. To start the loading chain after installation, it creates a one-time scheduled task. ### Dolphin loader The Dolphin loader consists of a Python script and shellcode. Step 1, the Python script, reads a specified file, XOR-decrypts its contents, and executes the resulting shellcode. Step 2, shellcode, creates a host process (random CLI executable from %WINDIR%\System32\*.exe), XOR-decrypts further shellcode carried within itself, and injects it into the created process. Step 3, another shellcode, XOR-decrypts an embedded PE file – the Dolphin backdoor – and loads and executes it using a custom PE loader. ### Dolphin backdoor Dolphin is a backdoor that collects information and executes commands issued by its operators. The backdoor is a regular Windows executable, written in C++. It communicates with Google Drive cloud storage, which is used as its C&C server. We named the backdoor Dolphin based on a PDB path found in the executable: D:\Development\BACKDOOR\Dolphin\x64\Release\Dolphin.pdb **Persistence** ----- The backdoor periodically checks and creates its own persistence by making sure that Step 1 of the loader is run every time the system is started, via a registry Run value, in the same way as in the installer: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ \”%appdata%\Python27({32|64})\pythonw.exe” “” “” **Capabilities** The following basic information about the computer and the backdoor is collected: Current backdoor configuration Username Computer name Local and external IP address List of installed security products RAM size and usage Result of check for debugger and other inspection tools (such as Wireshark) OS version Current time Malware version Dolphin downloads commands, issued by its operators, from Google Drive storage and executes them. After execution, the output of commands is uploaded. Most of Dolphin’s capabilities are controlled through commands. The most relevant capabilities are described below. **_File exfiltration_** By default, Dolphin searches all non-fixed drives (USBs), creates directory listings and exfiltrates files by extension. This search can be extended to fixed drives (HDDs), via dedicated commands. The following file extensions of interest, specific to media, documents, emails, and certificates, are specified in the default configuration: jpg, doc, xls, ppt, hwp, url, csv, pdf, show, cell, eml, odt, rtf, nxl, amr, 3gp, m4a, txt, msg, key, der, cer, docx, xlsx, pptx, pfx, mp3 Besides this automatic search, specific files can be exfiltrated. In the newer versions, the default search was extended to fixed drives. The command to get specific files was improved, by caching/storing it in the configuration until completion. **_Portable devices_** Among regular drives, Dolphin also searches portable devices such as smartphones, using the Windows Portable Device (WPD) API. It creates directory listings and exfiltrates files. This functionality appeared to be under development in the first version we found, for several reasons: Relying on a hardcoded path with a username that likely doesn’t exist on the victim’s computer Missing variable initialization – some variables are assumed to be zero-initialized, or dereferenced as pointers without initialization Missing extension filtering ----- The code is heavily based on Microsoft s Portable Devices COM API [code sample.](https://github.com/microsoft/windows-classic-samples/tree/main/Samples/PortableDeviceCOM) Apart from automatic search, the operators can specify individual files to be exfiltrated from portable devices. In newer versions, this capability was finished and improved by adding extension filtering. For unknown reasons, the command to retrieve specific files from portable devices was removed. **_Keylogging and screenshots_** Dolphin logs keystrokes for windows with titles containing substrings specified in its configuration. The defaults are chrome and internet explore (sic). This is done via the GetAsyncKeyState API, with keystrokes being logged along with the window name and current time. Screenshots are also taken at a configurable interval; the default is once every 30 seconds. Screenshots and keylogging are enabled by default, and can be toggled via a command. **_Shellcode_** Dolphin can receive shellcode for execution. The shellcode is stored in the registry, under one of the following keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Classic\ HKCU\Software\Microsoft\OneDrive\Update\ HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\HttpsSoftware\Microsoft\Internet Explorer\Zone\ (two subkeys as one, likely a coding error) It can be executed either locally or in a specified separate process that is created and injected. In the newer versions, the shellcode is stored in files instead of the registry, and the stored shellcode is loaded and executed on Dolphin’s startup, which was not the case in version 1.9 (the original version we analyzed). **_Shell commands_** Dolphin can execute shell commands; this is done via the popen API and their output is retrieved. **_Stealing credentials_** Dolphin can retrieve credentials from browsers in the form of saved passwords and cookies. The following browsers are supported: Chrome Edge Internet Explorer In version 2.2, this capability was removed, presumably to avoid detection. It was later restored in version 3.0, but in a different form. It is now dynamically received from the C&C in the form of shellcode. **_Google account_** Another one of Dolphin’s commands modifies the settings of the currently logged-in Google account, lowering its security relative to default settings. It steals the existing cookie of the logged-in account from the browser and crafts requests that modify the settings. First, it enables access to Gmail via the IMAP protocol by sending an HTTP POST request to: ----- https://mail.google.com/mail/u/0/?ik=&at= &view=up&act=prefs Then it enables “less secure app access” by sending an undocumented RPC request via an HTTP POST to: https://myaccount.google.com/_/AccountSettingsUi/data/batchexecute These modifications are referred to as “thunder access” in the backdoor, likely being a reference to the Thunderbird email client. Accessing their victims’ inboxes with a third-party client via IMAP probably helps ScarCruft operators maintain access to the victims’ emails after stealing credentials, which may not be enough on their own, due to Google’s detection of suspicious login attempts. This feature was found in versions 1.9 and 2.0 of the backdoor; it is not present in versions 2.2 or 3.0. **_Data staging_** Dolphin exfiltrates data to Google Drive storage, staging the data in encrypted ZIP archives before upload. The backdoor also maintains a list of files in the form of MD5 hashes, in order to avoid uploading the same file multiple times. This list can be reset via a dedicated command. **Configuration** The backdoor contains an initial default configuration that is persisted on first run and loaded on subsequent runs. It is stored in the file %ProgramData%\.inf, where is randomly selected from existing filenames matching %windir%\inf\*.inf. The content is encrypted using AES CBC with random 16-byte keys and IVs, which are stored at the file’s beginning. The configuration uses JSON format, with hash-like keys. An example of a decrypted configuration is shown in Figure 3. _Figure 3. Dolphin backdoor configuration_ The configuration can be modified through commands. It contains, among others, the following: Encryption keys Credentials for Google Drive API access Window titles to keylog ----- List of file extensions to exfiltrate ## Dolphin evolution Since the initial discovery of Dolphin in April 2021, we have observed multiple versions of the backdoor, in which the threat actors improved the backdoor’s capabilities and made attempts to evade detection. Figure 4 summarizes the versions seen; a more detailed description of the version changes is provided below. _Figure 4. Dolphin evolution timeline_ **November 2021 – version 2.0** Version 2.0 introduced the following changes to the version found in April 2021: Dynamic resolution of suspicious APIs instead of static imports (for example GetAsyncKeyState) added Shellcode capability finished and improved Persisted shellcode stored in files instead of registry Persisted shellcode loaded and executed on Dolphin startup (previously missing) Portable device file exfiltration capability finished and improved Exfiltration by extensions added Recognition of internal memory and SD cards (from device ID) added Command to get files from portable devices effectively a NOP Device/drive detection and file exfiltration improved Dolphin now unconditionally creates directory listings and exfiltrates files by extension every 30 minutes for all drives and devices (fixed drives, removable drives, portable devices). Previously, it was just for removable drives; fixed drives were disabled by default and the code used for accessing portable devices was buggy and broken. **December 2021 – version 2.2** Changes introduced in version 2.2 focused mainly on detection evasion. The credential-stealing capability and commands related to it – the credential stealing and Google account commands – were removed. Most strings in this version are base64 encoded. ----- **January 2022 version 3.0** In version 3.0, the code was reorganized and classes renamed, with capabilities remaining unchanged. The base64-encoded strings were plaintext again in this version. We observed the following additional changes: Command to steal credentials restored in a different form; it now executes shellcode from the C&C Command to get files from portable devices completely removed Command to get files from drives is now cached/stored in the configuration until completion. If interrupted (for example by computer shutdown), it is done on the next run. This is also useful in the case of removable drives that may not be connected when the command is issued. Internet connection check added (https://www.microsoft.com); no malicious code is executed if offline The differences between versions 2.2 and 3.0, especially the discrepancy in string encoding, suggest the possibility that the versions were being developed in parallel by different people. ## Conclusion Dolphin is another addition to ScarCruft’s extensive arsenal of backdoors abusing cloud storage services. After being deployed on selected targets, it searches the drives of compromised systems for interesting files and exfiltrates them to Google Drive. One unusual capability found in prior versions of the backdoor is the ability to modify the settings of victims’ Google and Gmail accounts to lower their security, presumably in order to maintain account access for the threat actors. During our analysis of multiple versions of the Dolphin backdoor, we saw continued development and attempts to evade detection. _For any inquiries about our research published on WeLiveSecurity, please contact us_ _at_ _[threatintel@eset.com.](mailto:threatintel@eset.com)_ _ESET Research also offers private APT intelligence reports and data feeds. For any inquiries about this_ _service, visit the_ _[ESET Threat Intelligence page.](https://www.eset.com/int/business/services/threat-intelligence/?utm_source=welivesecurity.com&utm_medium=referral&utm_campaign=wls-research&utm_content=whos-swimming-south-korean-waters-meet-scarcrufts-dolphin/)_ ## IoCs **SHA-1** **Filename** **ESET detection name** **Description** F9F6C0184CEE9C1E4E15C2A73E56D7B927EA685B N/A Win64/Agent.MS Dolphin backdoor version 1.9 (x64) 5B70453AB58824A65ED0B6175C903AA022A87D6A N/A Win32/Spy.Agent.QET Dolphin backdoor version 2.0 (x86) 21CA0287EC5EAEE8FB2F5D0542E378267D6CA0A6 N/A Win64/Agent.MS Dolphin backdoor version 2.0 (x64) D9A369E328EA4F1B8304B6E11B50275F798E9D6B N/A Win32/Agent.UYO Dolphin backdoor version 3.0 (x86) ----- **SHA-1** **Filename** **ESET detection name** **Description** 2C6CC71B7E7E4B28C2C176B504BC5BDB687C4D41 N/A Win64/Agent.MS Dolphin backdoor version 3.0 (x64) ## MITRE ATT&CK techniques [This table was built using version 12 of the MITRE ATT&CK framework.](https://attack.mitre.org/resources/versions/) **Tactic** **ID** **Name** **Description** Initial Access [T1189](https://attack.mitre.org/versions/v12/techniques/T1189) Drive-by Compromise ScarCruft uses watering-hole attacks to compromise victims. Execution [T1059.006](https://attack.mitre.org/versions/v12/techniques/T1059/006) Command and Scripting Interpreter: Python [T1059.007](https://attack.mitre.org/versions/v12/techniques/T1059/007) Command and Scripting Interpreter: JavaScript [T1203](https://attack.mitre.org/versions/v12/techniques/T1203) Exploitation for Client Execution ScarCruft used malicious JavaScript for a watering-hole attack. ScarCruft exploits CVE-2020-1380 to compromise victims. The Dolphin loader a uses Python script. Dolphin uses a temporary scheduled task to start after installation. Dolphin can inject into other processes. Dolphin can obtain saved passwords from browsers. [T1106](https://attack.mitre.org/versions/v12/techniques/T1106) Native API Dolphin uses Windows API functions to execute files and inject processes. Persistence [T1053.005](https://attack.mitre.org/versions/v12/techniques/T1053/005) Scheduled Task/Job: Scheduled Task [T1547.001](https://attack.mitre.org/versions/v12/techniques/T1547/001) Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Dolphin uses Run keys for persistence of its loader. Defense Evasion [T1055.002](https://attack.mitre.org/versions/v12/techniques/T1055/002) Process Injection: Portable Executable Injection [T1027](https://attack.mitre.org/versions/v12/techniques/T1027) Obfuscated Files or Information Dolphin has encrypted components. Credential Access [T1555.003](https://attack.mitre.org/versions/v12/techniques/T1555/003) Credentials from Password Stores: Credentials from Web Browsers [T1539](https://attack.mitre.org/versions/v12/techniques/T1539) Steal Web Session Cookie Dolphin can obtain cookies from browsers. Discovery [T1010](https://attack.mitre.org/versions/v12/techniques/T1010) Application Window Discovery Dolphin captures the title of the active window. [T1083](https://attack.mitre.org/versions/v12/techniques/T1083) File and Directory Discovery Dolphin can obtain file and directory listings. ----- **Tactic** **ID** **Name** **Description** [T1518.001](https://attack.mitre.org/versions/v12/techniques/T1518/001) Software Discovery: Security Software Discovery [T1082](https://attack.mitre.org/versions/v12/techniques/T1082) System Information Discovery [T1016](https://attack.mitre.org/versions/v12/techniques/T1016) System Network Configuration Discovery [T1016.001](https://attack.mitre.org/versions/v12/techniques/T1016/001) System Network Configuration Discovery: Internet Connection Discovery [T1033](https://attack.mitre.org/versions/v12/techniques/T1033) System Owner/User Discovery Dolphin obtains a list of installed security software. Dolphin obtains various system information including OS version, computer name and RAM size. Dolphin obtains the device’s local and external IP address. Dolphin checks internet connectivity. Dolphin obtains the victim’s username. [T1124](https://attack.mitre.org/versions/v12/techniques/T1124) System Time Discovery Dolphin obtains the victim’s current time. Collection [T1056.001](https://attack.mitre.org/versions/v12/techniques/T1056/001) Input Capture: Keylogging Dolphin can log keystrokes. [T1560.002](https://attack.mitre.org/versions/v12/techniques/T1560/002) Archive Collected Data: Archive via Library Using the Zipper library, Dolphin compresses and encrypts collected data before exfiltration. [T1119](https://attack.mitre.org/versions/v12/techniques/T1119) Automated Collection Dolphin periodically collects files with certain extensions from drives. [T1005](https://attack.mitre.org/versions/v12/techniques/T1005) Data from Local System Dolphin can collect files from local drives. [T1025](https://attack.mitre.org/versions/v12/techniques/T1025) Data from Removable Media [T1074.001](https://attack.mitre.org/versions/v12/techniques/T1074/001) Data Staged: Local Data Staging Dolphin can collect files from removable drives. Dolphin stages collected data in a directory before exfiltration. [T1113](https://attack.mitre.org/versions/v12/techniques/T1113) Screen Capture Dolphin can capture screenshots. Command and Control [T1071.001](https://attack.mitre.org/versions/v12/techniques/T1071/001) Application Layer Protocol: Web Protocols Dolphin uses HTTPS to communicate with Google Drive. [T1102.002](https://attack.mitre.org/versions/v12/techniques/T1102/002) Web Service: Bidirectional Communication Dolphin communicates with Google Drive to download commands and exfiltrate data. Exfiltration [T1020](https://attack.mitre.org/versions/v12/techniques/T1020) Automated Exfiltration Dolphin periodically exfiltrates collected data. [T1567.002](https://attack.mitre.org/versions/v12/techniques/T1567/002) Exfiltration Over Web Service: Exfiltration to Cloud Storage Dolphin exfiltrates data to Google Drive. ----- 30 Nov 2022 - 11:30AM ### Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center Newsletter Discussion -----