Cybersecurity researchers have discovered a new strain of Windows malware capable of stealing sensitive data from any connected device, including mobile phones, and is apparently used by groups linked to the North Korean government.

ESET experts said they encountered a previously unknown information stealer named Dolphin. Dolphin is apparently being used by a threat actor known as APT 37, or Erebus, a group with known ties to the North Korean government. The group, the researchers say, has been active for about a decade.

Dolphin was first seen in April 2021, but has since grown into a real beast. Today, it is capable of stealing information from web browsers (stored passwords, credit card details, etc.), taking screenshots of infected terminals, and recording all keystrokes.

Upload all to Google Drive

The malware obtains its commands from an instance of Google Drive and also sends all the collected information there.

In addition to all this, Dolphin also collects information such as your computer name, local and external IP address, security solutions installed on the terminal, hardware specifications, and operating system version.

Also, it scans all local and removable drives for sensitive data (documents, emails, photos and videos, etc.) as well as smartphones. ESET says this was made possible by the Windows Mobile Devices API.

Four different versions of the malware have been detected so far, with the latest version 3.0 being released in January 2022.

North Korea is relatively active on the cybercrime scene, with some large state-sponsored groups wreaking havoc in the digital world. Perhaps the most infamous example is the Lazarus Group, which managed to steal some $600 million from cryptocurrency company Ronin Bridge. Intelligence reports suggest that the North Korean government employs cybercriminal teams to finance its operations.

Via: BleepingComputer (Opens in a new tab)

Share This