The North Korea-linked menace actor tracked as APT37 has been linked to a chunk of recent malware dubbed M2RAT in assaults concentrating on its southern counterpart, suggesting continued evolution of the group’s options and techniques.
APT37, additionally tracked beneath the monikers Reaper, RedEyes, Ricochet Chollima, and ScarCruft, is linked to North Korea’s Ministry of State Safety (MSS) in contrast to the Lazarus and Kimsuky menace clusters which are a part of the Reconnaissance Basic Bureau (RGB).
In keeping with Google-owned Mandiant, MSS is tasked with “home counterespionage and abroad counterintelligence actions,” with APT37’s assault campaigns reflective of the company’s priorities. The operations have traditionally singled out people comparable to defectors and human rights activists.
“APT37’s assessed main mission is covert intelligence gathering in assist of DPRK’s strategic army, political, and financial pursuits,” the menace intelligence agency stated.
The menace actor is understood to depend on custom-made instruments comparable to Chinotto, RokRat, BLUELIGHT, GOLDBACKDOOR, and Dolphin to reap delicate data from compromised hosts.
“The primary function of this RedEyes Group assault case is that it used a Hangul EPS vulnerability and used steganography strategies to distribute malicious codes,” AhnLab Safety Emergency response Heart (ASEC) stated in a report revealed Tuesday.
The an infection chain noticed in January 2023 commences with a decoy Hangul doc, which exploits a now-patched flaw within the phrase processing software program (CVE-2017-8291) to set off shellcode that downloads a picture from a distant server.
The JPEG file makes use of steganographic strategies to hide a transportable executable that, when launched, downloads the M2RAT implant and injects it into the legit explorer.exe course of.
Whereas persistence is achieved via a Home windows Registry modification, M2RAT features as a backdoor able to keylogging, display seize, course of execution, and data theft. Like Dolphin, it is also designed to siphon knowledge from detachable disks and related smartphones.
“These APT assaults are very troublesome to defend towards, and the RedEyes group specifically is understood to primarily goal people, so it may be troublesome for non-corporate people to even acknowledge the injury,” ASEC stated.
This isn’t the primary time CVE-2017-8291 has been weaponized by North Korean menace actors. In late 2017, the Lazarus Group was noticed concentrating on South Korean cryptocurrency exchanges and customers to deploy Destover malware, in accordance with Recorded Future.