The APT37 threat group targets people for intelligence gathering using the new elusive “M2RAT” malware and steganography. North Korea’s APT37, sometimes referred to as “RedEyes” or “ScarCruft,” is a hacker collective thought to be funded by the government. The hacker gang was observed in 2022 using Internet Explorer zero-day vulnerabilities to distribute a wide range of malware against selected companies and people.
For instance, the threat actors used the RAT (remote access trojan) “Konni,” which was specifically designed to target American journalists with a highly-customizable malware dubbed “Goldbackdoor” to attack EU-based companies.
Researchers explain how APT37 is now deploying a new malware strain named “M2RAT,” which uses a shared memory region for instructions and data exfiltration, as well as the operational traces left behind compromised machine, in a new report published today by AhnLab Security Emergency response Center (ASEC).
The hacker organization began the most recent attacks seen by ASEC in January 2023 by sending their targets phishing emails with a malware attachments.
An outdated EPS vulnerability (CVE-2017-8291) in the widely used Hangul word processor in South Korea is exploited when the attachment is opened. The exploit on the victim’s PC will make the shellcode run, downloading and launching malicious code hidden inside a JPEG image.
This JPG image file sneakily installs the M2RAT executable (“lskdjfei.exe”) on the system and injects it into “explorer.exe” via steganography, a technique that permits hiding code inside files.
The malware inserts a new value (“RyPO”) to the “Run” Registry key with instructions to run a PowerShell script via “cmd.exe” in order to maintain persistence on the system. The exact identical command was also noted in a 2021 Kaspersky report on APT37.
RedEyes Hackers Use M2RAT Target Windows And Mobile Devices
The M2RAT backdoor functions as a straightforward remote access trojan, carrying out keylogging, data stealing, command execution, and desktop screenshotting. The function to take screenshots is periodically triggered and operates on its own without a particular operator order.
The following commands are supported by the virus, which gathers data from the infected device and sends it back to the C2 server for the attackers to examine.
- A list of CMD commands that are supported
- Attainable CMD commands (ASEC)
It’s particularly intriguing how the malware may search for portable devices like smartphones or tablets that are linked to the Windows computer.
When a portable device is identified, the software searches its contents for documents and voice recordings and copies them to the PC for exfiltration to the attacker’s server if any are discovered.
The stolen data is packed in a password-protected RAR archive before being exfiltrated, and the local copy is erased from memory to remove any traces.
The utilization of shared memory by M2RAT for C2 communication, data exfiltration, and the direct transmission, without storing it in the compromised system, of stolen data to the C2, is another intriguing aspect of this malware.
As security researchers must examine the memory of infected devices to recover the commands and data utilized by the virus, using a memory area on the host for the aforementioned purposes reduces the interchange with the C2 and complicates analysis.
APT37 keeps updating its unique toolkit with evasive malware that is hard to identify and decipher. This holds true especially when the targets are people, as in the recent campaign discovered by ASEC, who lack the sophisticated threat detection systems used by more giant corporations.
Conclusion
The State Department supports APT37, a RedEyes hacking group that conducts cyber attacks for North Korea. It has lately been observed using Internet Explorer zero-day vulnerabilities to distribute different malware against targeted companies and people. A new study from AhnLab Security Emergency Response Center (ASEC) details how researchers have discovered a new malware strain used by APT37. The name of this strain is “M2RAT.” It leaves very minimal operating traces after introducing the malware using steganography techniques into the victim’s PC.
The most recent attacks that ASEC has noticed began in January 2023. It occurs when a hacking organization sends its intended victims phishing emails with malware attachments. An outdated EPS vulnerability is exploited as a result of the attachment (CVE-2017-8291). It is the widely popular South Korean Hangul word processor. The victim’s machine will execute the shell code as a result of the vulnerability.
