Who’s swimming in South Korean waters? Meet ScarCruft’s Dolphin
ScarCruft, also known as APT37 and Reaper, is an espionage group that has been operating since at least 2012. It primarily focuses on South Korea, but other Asian countries also have been targeted. ScarCruft seems to be interested mainly in government and military organizations, and companies in various industries linked to the interests of North Korea. Last year, ScarCruft conducted a watering-hole attack on a South Korean newspaper site. This attack was previously publicly described as having the BLUELIGHT backdoor as its final payload. However, we discovered a second, more sophisticated backdoor called Dolphin that was deployed on selected victims via BLUELIGHT.
Dolphin is a new, previously undocumented addition to ScarCruft’s toolset. It supports a wide range of espionage capabilities – such as monitoring drives and portable devices and exfiltrating interesting files, or stealing credentials from browsers. Interestingly, it also provides the ability to lower the security of victims’ Google and Gmail accounts. In line with ScarCruft’s signature TTPs, Dolphin abuses cloud storage services for C&C communication. In this talk, we will present a technical description of the Dolphin backdoor and its capabilities. We will also provide useful information for threat hunters looking to track ScarCruft activity, including the evolution across multiple Dolphin versions that we have observed after our initial discovery.
Filip Jurčacko is a Malware Researcher, working at ESET since 2015. Filip focuses on hunting and analyzing sophisticated threats. His research results in technical reports and improvements to detection capabilities. In his free time, he likes to improve skills in CTF competitions. He holds a master’s degree in software engineering from Slovak University of Technology in Bratislava.