Cyber firm discovered new backdoor used by North Korean linked hackers

Cyber firm discovered new backdoor used by North Korean linked hackers
Source: ESET

By Kuksung Nam, The Readable
Dec. 2, 2022 10:23PM KST

A hacking group, who authorities say worked on the behalf of the North Korean government, used an unreported backdoor to attack a South Korean news organization focused on North Korea in 2021, a private cybersecurity firm reported.

According to a report released Wednesday by ESET, this backdoor is able to be used to spy on victims’ computers by monitoring drives, exfiltrating files, keylogging, taking screenshots, and stealing credentials from browsers. Keylogging is a type of monitoring software that can record and steal keystrokes that the user enters on a device.

In addition, this new backdoor, which the company named Dolphin, abuses cloud storage services, specifically Google Drive, for command and control communication.

ESET discovered this backdoor while analyzing the attack on a South Korean news organization, which specializes in issues related to North Korea, by an alleged North Korean hacking group APT37 last year. This group is also known as ScarCruft or Reaper. The report described APT37 as a hacking group that primarily focuses on South Korea.

This is the second backdoor discovered by cybersecurity firms that is related to the attack. According to a report released by the cybersecurity firm Volexity in August of last year, the attacker deployed different exploits including an Internet Explorer exploit and a backdoor which they named BLUELIGHT.

“We discovered (…) a more sophisticated backdoor deployed on selected victims via BLUELIGHT,” wrote ESET researcher Filip Jurčacko, who analyzed the backdoor, in a blogpost on WeLiveSecurity.

The researcher said that the second backdoor “actively searches drives and automatically exfiltrates files with extensions of interest to ScarCruft” compared with the first backdoor.

Cybersecurity firms have been observing multiple versions of this backdoor since its initial discovery in April 2021. The researchers have found that the attackers continue to develop the backdoor’s capabilities and made attempts to evade detection.

“A notable feature of earlier Dolphin versions (…) is the ability to modify the settings of victims’ signed-in Google and Gmail accounts to lower their security,” explained Filip Jurčacko. “[This is] most likely to maintain access to victims’ email inboxes.”

Kuksung Nam is a cybersecurity journalist for The Readable. She covers cybersecurity issues in South Korea, including the public and private sectors. Prior to joining The Readable, she worked as a political reporter for one of the top-five local newspapers in South Korea, The Kyeongin Ilbo, where she reported several exclusive stories regarding the misconduct of local government officials. She is currently focused on issues related to anti-fraud, as well as threats and crimes in cyberspace. She is a Korean native who is fluent in English and French, and she is interested in delivering the news to a global audience.