The APT37 menace group makes use of a brand new evasive ‘M2RAT’ malware and steganography to focus on people for intelligence assortment.

APT37, often known as ‘RedEyes’ or ‘ScarCruft,’ is a North Korean cyber espionage hacking group believed to be state-supported.

In 2022, the hacking group was seen exploiting Web Explorer zero-days and distributing a large assortment of malware in opposition to focused entities and people.

For instance, the menace actors focused EU-based organizations with a brand new model of their cellular backdoor named ‘Dolphin,’ deployed a customized RAT (distant entry trojan) known as ‘Konni,’ and focused U.S. journalists with a highly-customizable malware named ‘Goldbackdoor.’

In a new report launched as we speak by AhnLab Safety Emergency response Middle (ASEC), researchers clarify how APT37 is now utilizing a brand new malware pressure known as ‘M2RAT’ that makes use of a shared reminiscence part for instructions and knowledge exfiltration and leaves only a few operational traces on the contaminated machine.

Begins with phishing

The current assaults noticed by ASEC began in January 2023, when the hacking group despatched phishing emails containing a malicious attachment to their targets.

Opening the attachment triggers the exploitation of an outdated EPS vulnerability (CVE-2017-8291) within the Hangul phrase processor generally utilized in South Korea. The exploit will trigger shellcode to run on a sufferer’s pc that downloads and executes a malicious executed saved inside a JPEG picture.

This JPG picture file makes use of steganography, a way that enables hiding code inside information, to stealthily introduce the M2RAT executable (“lskdjfei.exe”) onto the system and inject it into “explorer.exe.”

For persistence on the system, the malware provides a brand new worth (“RyPO”) within the “Run” Registry key, with instructions to execute a PowerShell script by way of “cmd.exe.” This similar command was additionally seen in a 2021 Kaspersky report about APT37.

M2RAT steals from Home windows and telephones

The M2RAT backdoor acts as a primary distant entry trojan that performs keylogging, knowledge theft, command execution, and the taking of screenshots from the desktop.

The screenshot-snapping operate is activated periodically and works autonomously with out requiring a selected operator command.

The malware helps the next instructions, which accumulate info from the contaminated machine after which ship it again to the C2 server for the attackers to evaluate.

The malware’s skill to scan for transportable gadgets linked to the Home windows pc, corresponding to smartphones or tablets, is especially attention-grabbing.

If a conveyable machine is detected, it’s going to scan the machine’s contents for paperwork and voice recording information and, if discovered, copy them to the PC for exfiltration to the attacker’s server.

Earlier than exfiltration, the stolen knowledge is compressed in a password-protected RAR archive, and the native copy is wiped from reminiscence to eradicate any traces.

One other attention-grabbing characteristic of M2RAT is that it makes use of a shared reminiscence part for command and management (C2) communication, knowledge exfiltration, and the direct switch of stolen knowledge to the C2 with out storing them within the compromised system.

Utilizing a reminiscence part on the host for the above capabilities minimizes the change with the C2 and makes evaluation tougher, as safety researchers have to investigate the reminiscence of contaminated gadgets to retrieve the instructions and knowledge utilized by the malware.

In conclusion, APT37 continues to refresh its customized toolset with evasive malware that’s difficult to detect and analyze.

That is very true when the targets are people, like within the current marketing campaign noticed by ASEC, who lack bigger organizations’ refined menace detection instruments.