 |
| North Korean hackers steal data from Windows devices and all phones connected to them |
Researchers at information security firm ESET have discovered a North Korea-related backdoor that has extensive spying capabilities not only on target computers but also on other mobile devices connected to them.
According to the company, the backdoor is capable of monitoring drives and smartphones connected to computers, extracting important files from them, recording keystrokes, taking screenshots and stealing user information.
The researchers explain that the back door, which they call a dolphin, has a specific function. He abused cloud storage services, specifically Google Drive, for command-and-control communications.
Behind the Dolphin backdoor, the researchers say, is the ScarCruft spy group, also known as APT37 or Reaper, which has been in operation since at least 2012.
The group's efforts are primarily focused on South Korea, the researchers said, but it has also targeted other Asian countries in the past. He is interested in government and military agencies and companies in various industries of North Korean interest.
ESET explained that after it is deployed to a specific target, the Dolphin backdoor searches for files of interest on infected system disks and sends them to Google Drive.
"One of the unusual features found in previous versions of the backdoor was the ability to change the settings of the victim's Google and Gmail accounts to lower their security level," the company said. The reason is likely to maintain security against the attacker's Gmail account. Access permission. "
In 2021, the ScarCruft Group launches an attack on a South Korean online newspaper with a focus on North Korea. The attack has several components, such as b. Exploiting Microsoft's Internet Explorer web browser.
Since the Dolphin backdoor was first discovered in April 2021, ESET researchers have noticed multiple versions of it as attackers worked to improve its functionality to avoid detection.
According to the researchers, the backdoor's strength is that it actively scans drives, automatically filters out files with interesting extensions, and collects basic information about the target device, including: operating system version, list of installed security products, user name, and computer name.
By default, Dolphin scans all hard drives (such as HDD and SSD) and non-volatile drives (such as external USB storage drives), generates a directory list, and extracts files by extension. The backdoor also searches for mobile devices connected to the computer, such as b. Smartphones, via the Windows Mobile API.
The backdoor also steals browser credentials and is capable of recording keystrokes and taking screenshots. Finally, the backdoor encapsulates this data into an encrypted ZIP archive before uploading it to Google Drive.