APT37 (aka RedEyes, ScarCruft, Ricochet Chollima, Reaper, Group123 or InkySquid) is a North Korean cyber espionage hacker group. It is believed that it is supported by the authorities of the DPRK. It was recently revealed that the group is using the new evasive malware M2RAT and steganography to gather intelligence. In 2022, APT37 was seen exploiting Internet Explorer zero-day vulnerabilities and spreading a wide range of malware against targeted organizations and individuals. For example, hackers attacked organizations based in the European Union with a new version of their mobile backdoor called "Dolphin", injected a custom RAT (Remote Access Trojan) called "Konni", and attacked US journalists with a customized malware called "Goldbackdoor". In a new report from the AhnLab Security Emergency Response Center (ASEC), researchers explain how APT37 is now using a new strain of malware called "M2RAT". It uses a section of shared memory to execute commands and delete data, leaving very little trace of the work on the infected machine. These attacks began in January 2023, when a hacker group sent phishing emails containing a malicious attachment to their targets. The principle is as follows: after opening the attachment, the old vulnerability CVE-2017-8291 in the Hangul text editor, commonly used in South Korea, goes into action. The exploit runs shellcode on the victim's computer, which in turn downloads and executes the malware stored in the JPEG image. The JPG file itself uses "steganography" - a technique that allows hackers to hide code within the files in order to discreetly inject the M2RAT executable ("lskdjfei.exe") into the system and inject it into "explorer.exe". To persist on the system, the malware adds a new value ("RyPO") to the "Run" registry key with commands to execute a PowerShell script via "cmd.exe". The same command was also seen in Kaspersky's 2021 report on APT37. The M2RAT backdoor acts like a regular remote access Trojan, performing keylogging, stealing data, executing commands, and taking desktop screenshots. The screen capture function is activated periodically and works autonomously without requiring a special operator command. Of particular interest is the malware's ability to scan portable devices connected to a Windows computer, such as smartphones or tablets. When a portable device is detected, the software scans its contents for documents and files with voice recording, and if detected, copies them to a computer for sending to an attacker. Before being exfiltrated, the stolen data is compressed into a password-protected RAR archive, and the local copy is erased from memory to eliminate any traces. Another interesting feature of M2RAT is that it uses a shared memory section to interact with the C2 server without being stored on the compromised system. Using a shared memory partition on the host minimizes communication with the C2 server and complicates threat analysis by researchers. APT37 continues to update its custom toolset with malware that is difficult to detect and analyze. These tools are especially useful in attacks on small organizations that are not prepared to detect and repel such attacks.
Comment preview