Toni Dimaano Tech 12.01.2022 04:Dec AM EST

New Windows Malware Uses Mobile Phone Scans To Victims' Steal Data

Security researchers have discovered a backdoor called Dolphin, which has been used by North Korean hackers in crimes for years now.

According to reports, the hackers recycle on Dolphin during highly targeted operations to steal files, which they send into Google Drive storages.

APT37 Uses The Malware For Specific Entities

The hacking group called APT37 is allegedly associated with illegal activities aligning with North Korean interests since 2012, using Dolphin as a backdoor for their hacking mechanisms.

According to security researchers ESET, Dolphin was discovered back in April 2021, and has been under observation, which saw it evolve into new versions with improved codes.

During the cyber breach, Dolphin is often used with a basic reconnaissance tool called BLUELIGHT, as seen on previous APT37 campaigns.

However, Bleeping Computer writes that it features more powerful skill sets that allows hackers to steal information from web browsers, take screenshots, and login keystrokes.

BLUELIGHT goes hand-in-hand with Dolphin as it launches the Python loader on the compromised system, but it only has a small role in the operations.

The Python loader is composed of a script and shellcode, used to kickstart multi-step XOR-decryption, process creation, and more.

This will then result in the execution of the Dolphin payload in a newly created memory process, simply executable using Google Drive as a C2 server for stolen data.

Additionally, the malware persists modifying the Windows registry, and by collecting information such as username, computer name, and IP addresses.

It also targets installed security software, RAM usage data, debugging or network inspection tools, and OS version during the breach.

Bleeping Computer writes that the backdoor sends current configurations, version number, and time to the C2, with keylogging and file exfiltration instructions, credentials, and encryption keys.

With this, Dolphin can now scan local and removable drives for different types of media, which will be archived and delivered to the C2 Google Drive system.

The Malware Snatches Files From Connected Mobile Devices

According to We Live Security, the security researchers found that the malware's capabilities not only concern Windows users, but also any phone connected to PC using Windows Portable Device API.

Security researcher ESET notes that while the functionality appears underdeveloped, the malware was able to use a hardcoded path with usernames that do not exist on breached computers.

This caused missing variable initialization where some variables are assumed to be dereferenced, and missing extension filtering.

Lower security on compromised Google accounts can also be an additional evidence that the malware has reached the victim as attackers now have access to their accounts for a long period.

Dolphin records keystrokes in Google Chrome by using the "GetAsyncKeyState" API, where it can take a picture of the active window every 30 seconds.

We Live Security also writes that ESET researchers believe they have discovered four distinct versions of Dolphin backdoor, of which the latest one dates back to January 2022.