APT37 Uses M2RAT Malware and Steganography to Target Individuals
February 14, 2023
The North Korean cyber espionage hacking group APT37, also known as 'RedEyes' or 'ScarCruft,' is using a new evasive malware strain called 'M2RAT' to target individuals for intelligence collection. In a new report released today by AhnLab Security Emergency response Center (ASEC), researchers explain how the threat actors are using a malicious attachment in phishing emails to exploit an old EPS vulnerability (CVE-2017-8291) in the Hangul word processor commonly used in South Korea. The exploit triggers shellcode to run on a victim's computer that downloads and executes a malicious executable stored within a JPEG image.
The M2RAT backdoor acts as a basic remote access trojan that performs keylogging, data theft, command execution, and the taking of screenshots from the desktop. It also has the ability to scan for portable devices connected to the Windows computer, such as smartphones or tablets, and copy any documents and voice recording files found to the PC for exfiltration to the attacker's server. The malware uses a shared memory section for command and control (C2) communication, data exfiltration, and the direct transfer of stolen data to the C2 without storing them in the compromised system. According to ASEC, this makes analysis harder, as security researchers have to analyze the memory of infected devices to retrieve the commands and data used by the malware.
"APT37 continues to refresh its custom toolset with evasive malware that is challenging to detect and analyze," said ASEC. "This is especially true when the targets are individuals, like in the recent campaign spotted by ASEC, who lack larger organizations' sophisticated threat detection tools."
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.