"New Windows Malware Scans Victims' Mobile Phones for Data to Steal"

Security researchers have discovered Dolphin, a previously unknown backdoor used by North Korean hackers in highly targeted operations for over a year to steal files and send them to Google Drive storage. According to ESET researchers, the APT37 threat group, also known as Reaper, Red Eyes, Erebus, and ScarCruft, used Dolphin against specific entities. Since 2012, the group has been linked to espionage activities aligned with North Korean interests. The malware was discovered in April 2021, and the researchers watched it evolve into new versions with improved code and anti-detection mechanisms. Dolphin is used in conjunction with BLUELIGHT, a basic reconnaissance tool seen in previous APT37 campaigns. However, BLUELIGHT has more powerful capabilities, such as stealing data from web browsers (passwords), taking screenshots, and logging keystrokes. BLUELIGHT is used to launch Dolphin's Python loader on a compromised system, but its role in espionage operations is limited. The Python loader includes a script and shellcode that launches multi-step XOR-decryption, process creation, and other operations, eventually resulting in the Dolphin payload being executed in a newly created memory process. Dolphin is a C++ executable that uses Google Drive as a command-and-control (C2) server as well as a storage location for stolen files. By modifying the Windows Registry, the malware achieves persistence. This article continues to discuss the distribution and capabilities of the Dolphin malware.

Bleeping Computer reports "New Windows Malware Scans Victims' Mobile Phones for Data to Steal"