The North Korea-linked menace actor tracked as APT37 has been linked to a bit of recent malware dubbed M2RAT in assaults concentrating on its southern counterpart, suggesting continued evolution of the group’s options and ways.
APT37, additionally tracked underneath the monikers Reaper, RedEyes, Ricochet Chollima, and ScarCruft, is linked to North Korea’s Ministry of State Security (MSS) in contrast to the Lazarus and Kimsuky menace clusters which might be a part of the Reconnaissance General Bureau (RGB).
According to Google-owned Mandiant, MSS is tasked with “home counterespionage and abroad counterintelligence actions,” with APT37’s assault campaigns reflective of the company’s priorities. The operations have traditionally singled out people corresponding to defectors and human rights activists.
“APT37’s assessed major mission is covert intelligence gathering in assist of DPRK’s strategic army, political, and financial pursuits,” the menace intelligence agency mentioned.
The menace actor is recognized to rely on custom-made instruments corresponding to Chinotto, RokRat, BLUELIGHT, GOLDBACKDOOR, and Dolphin to reap delicate data from compromised hosts.
“The principal characteristic of this RedEyes Group assault case is that it used a Hangul EPS vulnerability and used steganography strategies to distribute malicious codes,” AhnLab Security Emergency response Center (ASEC) mentioned in a report revealed Tuesday.
The an infection chain noticed in January 2023 commences with a decoy Hangul doc, which exploits a now-patched flaw within the phrase processing software program (CVE-2017-8291) to set off shellcode that downloads a picture from a distant server.
The JPEG file makes use of steganographic strategies to hide a conveyable executable that, when launched, downloads the M2RAT implant and injects it into the respectable explorer.exe course of.
While persistence is achieved via a Windows Registry modification, M2RAT features as a backdoor able to keylogging, display screen seize, course of execution, and knowledge theft. Like Dolphin, it is also designed to siphon knowledge from detachable disks and linked smartphones.
“These APT assaults are very troublesome to defend towards, and the RedEyes group particularly is thought to primarily goal people, so it may be troublesome for non-corporate people to even acknowledge the harm,” ASEC mentioned.
This isn’t the primary time CVE-2017-8291 has been weaponized by North Korean menace actors. In late 2017, the Lazarus Group was noticed concentrating on South Korean cryptocurrency exchanges and customers to deploy Destover malware, based on Recorded Future.