The APT 37 group Reaper, Red, Eyes, Erebus, & Scarcruft has used the Dolphin malware against very specific entities. This group has been linked with spying activities associated with North Korean interests since 2012.
Dophin is a malware family that has been detected by ESET researchers for over two decades. This malware family has evolved over time and now features improved code and detection methods.
The attackers use a combination of two tools in order to achieve their goals: Dolphin and BLUELIGHT. BLUELIGHT is a basic espionage tool that has been used in previous AP37 campaigns though it has more powerful abilities, such as stealing passwords from web browsers, logging keystrokes, and taking screenshots. Dolphin is a software development kit used by security researchers to build custom applications and is used by the attackers in order to steal passwords from web browsers.
The BLUELIGHT is used to start the Dolphin Python loader on an infected computer though it has a limited part in spying activities.
The Dolphin Python loader includes a script and a shellcode that launches a multi-step XOR decryption creation process that, in the end, results in the Dolphin payload being placed into the newly created memory process. ..
Dolphin is a malware program that uses Google Drive as its command and control center to store stolen files. The malware begins persistence by altering the Windows Registry. ..
A fake MSI Afterburner portal has been targeting Windows gamers for mining crypto currencies, according to a recent report. The fake website is designed to look like the official MSI Afterburner website, but instead features a list of tools and resources that are specifically designed to mine crypto currencies. The site also claims that users can earn rewards for participating in its mining program.
-Name of the computer -Version of the operating system -Time of day -Location of the computer -System type (PC, laptop, tablet)
Computer name: User name: Local and External IP addresses: Installed Antivirus RAM size and usage: Existence of debugging or network inspecting tool: Operating System version: 7.1.7601
The malware also has the C2 server’s current configuration, time, and version number, and the configuration holds keyloggers and also data exfiltration instructions and login details for Google Drive API, encryption keys, and access. ..
According to the ESET researchers, the attackers sent their commands to the malware by uploading them to Google Drive, and in return, the backdoor, i.e., Dolphin, uploads the results from executing those commands. In addition, Dolphin has an increased set of capabilities that includes scanning local & removable hard drives for a variety of data like images, documents, certificates, and emails. The feature was then improved further to filtrate data by extension.
The malware has an increased search capability that allows it to scan any phone which is connected to the infected computer by using the Windows Portable Drive API. However, the researchers at ESET say that this function was still being developed in the first version of the malware they discovered! ..
The examples of it are as follows.
The victim’s computer was likely infected with a malware program that used a hardcoded path to the victim’s username.
Some of the variables in the application are assumed to be initialized, but some are not. This can cause problems when trying to use some of the variables in the application.
Google has acknowledged that its Chrome browser is vulnerable to a type of malware that can steal passwords and other personal information. ..
Since January 2022, ESET security firm has found four different variants of the Dolphin malware. It is possible that the newer version of Dolphin exists and possibly has been used in attacks already because the backdoor has been used against specific targets. ..
The ESET researchers have found that the Dolphin malware was used in a water-hole attack on a South Korean newspaper reporting on activity and events related to North Korea. The attackers used Internet explorer to deploy the Dolphin malware to target the hosts.
Google has pushed a Chrome update to fix an eighth zero-day vulnerability of the year. This update fixes a vulnerability that allows remote attackers to execute arbitrary code or cause a denial of service (DoS) attack.
