Cybersecurity firm ESET has uncovered a previously unknown backdoor called Dolphin, which has been used by North Korean hackers in highly targeted operations for more than a year. The backdoor was employed by the APT 37 group (also known as Reaper, Red Eyes, Erebus, ScarCruft) against specific targets aligned with North Korean interests.
ESET’s researchers discovered Dolphin in April 2021 and noted that it has since evolved into new versions with improved code and anti-detection mechanisms. Dolphin is used alongside BLUELIGHT, a basic reconnaissance tool seen in previous APT37 campaigns, but it features more powerful capabilities such as stealing information from web browsers, taking screenshots, and logging keystrokes. The backdoor sends stolen files to Google Drive storage and establishes persistence by modifying the Windows Registry. It has an extended set of capabilities, including the ability to scan local and removable drives for various types of data that can be archived and delivered to Google Drive. Dolphin can also record user keystrokes in Google Chrome and take a snapshot of the active window every 30 seconds.
According to ESET, the hackers delivered commands to Dolphin by uploading them on Google Drive. In response, the backdoor uploads the result from executing the commands. ESET’s report provides a list of hashes for Dolphin backdoor versions 1.9 through 3.0 (86/64-bit).