The APT37 threat gang targets people for information gathering using the new elusive “M2RAT” malware and steganography. APT37, also known as “RedEyes” or “ScarCruft,” is a North Korean hacker collective said to be funded by the government.
The hacker gang was observed in 2022 using Internet Explorer zero-day vulnerabilities to distribute malware against selected companies and people. For instance, the threat actors used a customized RAT (remote access trojan) called “Konni” and targeted American journalists with a highly-customizable malware dubbed “Goldbackdoor” to attack EU-based companies. According to a new report published by AhnLab Security Emergency response Center (ASEC), researchers describe how APT37 is deploying a new malware strain named “M2RAT.” It uses a shared memory region for instructions and data exfiltration, leaving very few operating traces on the compromised computer.
The hacker group began the most recent cyberattacks seen by ASEC in January 2023 by sending its targets phishing emails with malware attachments. An outdated EPS vulnerability (CVE-2017-8291) in the widely used Hangul word processor in South Korea is exploited when the attachment is opened. The exploit on the victim’s PC will make the shellcode run, downloading and launching malicious code hidden inside a JPEG image. This JPG image file sneakily installs the M2RAT executable (“lskdjfei.exe”) on the system and injects it into “explorer.exe” via steganography, a method that permits concealing code inside files. For persistence on the system, the malware adds a new value (“RyPO”) in the “Run” Registry key, with commands to execute a PowerShell script via “cmd.exe.” A 2021 Kaspersky report on APT37 had identical instructions.
The M2RAT backdoor functions as a straightforward remote access trojan, carrying out keylogging, data stealing, command execution, and desktop screenshotting. The feature to take screenshots is periodically triggered and operates independently without a particular operator order. The following instructions are supported by the virus, which gathers data from the infected device and sends it back to the C2 server for the attackers to examine. It’s particularly intriguing how the malware may search for portable devices like smartphones or tablets linked to the Windows PC.
When a portable device is identified, the software searches its contents for documents and voice recordings. It copies them to the PC for exfiltration to the attacker’s server if any are discovered. The stolen data is packed in a password-protected RAR package before being exfiltrated, and the local copy is erased from memory to remove any traces. The employment of shared memory by M2RAT for C2 communication, data exfiltration, and the direct transmission of stolen data to the C2 without keeping it in the infected system is another intriguing aspect of this malware. As security researchers must examine the memory of infected devices to recover the commands and data employed by the malware, using a memory area on the host for the purposes mentioned above reduces the interchange with the C2 and complicates analysis.
In conclusion, APT37 keeps updating its unique toolkit with evasive malware that is hard to identify and decipher. This is particularly true when the targets are people, as in the latest campaign discovered by ASEC, who lack the sophisticated threat detection systems used by bigger corporations.
