The North Korea-linked risk actor tracked as APT37 has been linked to a bit of latest malware dubbed M2RAT in assaults focusing on its southern counterpart, suggesting continued evolution of the group’s options and ways.
APT37, additionally tracked beneath the monikers Reaper, RedEyes, Ricochet Chollima, and ScarCruft, is linked to North Korea’s Ministry of State Safety (MSS) in contrast to the Lazarus and Kimsuky risk clusters which can be a part of the Reconnaissance Basic Bureau (RGB).
In response to Google-owned Mandiant, MSS is tasked with “home counterespionage and abroad counterintelligence actions,” with APT37’s assault campaigns reflective of the company’s priorities. The operations have traditionally singled out people similar to defectors and human rights activists.
“APT37’s assessed major mission is covert intelligence gathering in help of DPRK’s strategic navy, political, and financial pursuits,” the risk intelligence agency mentioned.
The risk actor is recognized to rely on custom-made instruments similar to Chinotto, RokRat, BLUELIGHT, GOLDBACKDOOR, and Dolphin to reap delicate data from compromised hosts.
“The primary characteristic of this RedEyes Group assault case is that it used a Hangul EPS vulnerability and used steganography methods to distribute malicious codes,” AhnLab Safety Emergency response Heart (ASEC) mentioned in a report printed Tuesday.
The an infection chain noticed in January 2023 commences with a decoy Hangul doc, which exploits a now-patched flaw within the phrase processing software program (CVE-2017-8291) to set off shellcode that downloads a picture from a distant server.
The JPEG file makes use of steganographic methods to hide a transportable executable that, when launched, downloads the M2RAT implant and injects it into the authentic explorer.exe course of.
Whereas persistence is achieved via a Home windows Registry modification, M2RAT capabilities as a backdoor able to keylogging, display seize, course of execution, and knowledge theft. Like Dolphin, it is also designed to siphon knowledge from detachable disks and related smartphones.
“These APT assaults are very tough to defend towards, and the RedEyes group particularly is understood to primarily goal people, so it may be tough for non-corporate people to even acknowledge the harm,” ASEC mentioned.
This isn’t the primary time CVE-2017-8291 has been weaponized by North Korean risk actors. In late 2017, the Lazarus Group was noticed focusing on South Korean cryptocurrency exchanges and customers to deploy Destover malware, in accordance with Recorded Future.