Another day, another legitimate cloud service exploited for a cyber espionage campaign…
Researchers at ESET recently discovered Dolphin, a previously unreported backdoor used by the North-Korean threat actor APT37 (AKA ScarCruft and Reaper) against selected targets. The backdoor, deployed after the initial compromise using less sophisticated malware, was observed for the first time in early 2021, during a watering-hole attack on a South Korean online newspaper. Since then, the threat actors have continued to release new enhanced versions aimed to add more capabilities and make the backdoor even more evasive.
Dolphin has multiple features, including the ability to monitor drives and portable devices, exfiltrate files of interest, capture keystrokes, take screenshots, and steal credentials from browsers. Interestingly, in what appears as the latest example of a cloud service exploited in a cyber espionage campaign, Dolphin abuses Google Drive for its command and control (C2) communication.
APT37 is not the first example of an advanced persistent threat exploiting a legitimate cloud service as the command and control infrastructure or to exfiltrate the stolen data. And even if other services, like Dropbox, are abused more frequently by cyber espionage groups, this operation confirms state-sponsored threat actors’ growing interest towards cloud services to make their attacks more evasive, with new apps constantly joining the unwelcome list of those exploited in cyber espionage campaigns.
How Netskope mitigates the risk of a legitimate cloud service exploited to host C2 infrastructure
Google Drive (like Dropbox) is one of thousands of services where the Netskope Next Gen SWG can provide granular access control and one of the dozens for which instance detection is also available. In similar cases where Google Drive is abused for command and control communication, it is possible to configure a policy that blocks access or pote