APT37, a North Korean cyber espionage RedEyes hackers gets support from State. It has recently been seen exploiting Internet Explorer zero-days and distributing various malware against targeted entities and individuals. In a new report released by AhnLab Security Emergency Response Center (ASEC), researchers explain how APT37 is now using a new malware strain. This strain is called “M2RAT.” It uses steganography techniques to introduce the malware into the victim’s system and leaves very few operational traces.

How do RedEyes hackers phish?

The recent attacks observed by ASEC started in January 2023. It is when the hacking group sends phishing emails containing a malicious attachments to their targets. The attachment triggers the exploitation of an old EPS vulnerability (CVE-2017-8291). In the Hangul word processor commonly used in South Korea. The exploit will cause shellcode to run on a victim’s computer. It downloads and executes a malicious executed stored within a JPEG image. This JPG image file uses steganography. This a technique that allows hiding code inside files, to stealthily introduce the M2RAT executable (“lskdjfei.exe”) onto the system. Then inject it into “explorer.exe.”

For persistence on the system, the malware adds a new value (“RyPO”) in the “Run” Registry key. With commands to execute a PowerShell script via “cmd.exe.” This same command was also present in a 2021 Kaspersky report about APT37. The M2RAT backdoor acts as a basic remote access trojan that performs keylogging, data theft, and command execution. It also takes screenshots from the desktop. The screenshot-snapping function is also active and works autonomously without requiring a specific operator command.

What commands malware support?

The malware supports commands, which collect information from the infected device. Then send it back to the C2 server for the attackers to review. The malware’s ability to scan for portable devices connected to the Windows computer. This may be smartphones or tablets, which is particularly interesting. If a portable device is under detection, it will scan its contents for documents and voice recording files. Copy them to the PC for exfiltration to the attacker’s server.

Before exfiltration, the stolen data is compressed in a password-protected RAR archive. Then the local copy is wiped from memory to eliminate any traces. Another interesting feature of M2RAT is that it uses a shared memory section. It is for command and control (C2) communication, data exfiltration, and the direct transfer of stolen data to the C2. It is without storing them in the compromised system. Using a memory section on the host for the above functions minimizes the exchange with the C2. It makes analysis harder, as security researchers have to analyze the memory of infected devices. It is to retrieve the commands and data used by the malware.

Learn about the RedEyes hackers history.

APT37, also known as “RedEyes” or “ScarCruft,” has a history of using custom tools and techniques for intelligence collection. The group’s latest malware strain, M2RAT, allows them to steal data from Windows computers and connected portable devices, making it an even more significant threat to individuals’ privacy and security. The malware’s use of steganography and a shared memory section for command and control communication and data exfiltration makes it more challenging to detect and analyze, making it essential to have sophisticated threat detection tools to prevent and stop attacks.