APT37 Drops New Dolphin Malware

Category: Threat Actor Activity | Industries: Government, Media, Military | Level: Tactical | Source: ESET

ESET researchers have discovered a new malware backdoor named, Dolphin used by the North Korean cyberespionage group, APT37. This new backdoor is equipped with data collection capabilities aiding in APT37 spy campaigns, although it is reserved for select targets. APT37 operates in the interest of the North Korean government, entities linked in the crosshairs of their campaigns have included government, military, and media organizations in Asian countries specifically South Korea. The Dolphin backdoor was observed as the final payload in a 2021 attack against a South Korean online newspaper organization initiated by a watering-hole attack. Behaviors exhibited by the Dolphin malware are the use of Python as an interpreter, establishing persistence in the Run registry, and initiate command and control (C2) communication through cloud storage services such as Google Drive. The data collection capabilities observed from Dolphin include the ability to search drives for files of interest, extract credentials from browsers and collect keystrokes, and capture screenshots. In addition, "A notable feature of earlier Dolphin versions we analyzed is the ability to modify the settings of victims’ signed-in Google and Gmail accounts to lower their security, most likely to maintain access to victims’ email inboxes." The Dolphin malware will continue to evolve, receiving code updates, enhancements to its feature set, and added defense evasion capabilities, since its discovery in April 2021.

Anvilogic Scenario:

• ATP37: Python Misuse for Persistence and Data Collection

Anvilogic Use Cases:

• Python Execution
• Add DLL/EXE Registry Value
• Data Staged to File

‍