North Korea-related threat actors were tracked as follows: APT37 It has been linked to a piece of new malware called M2RAT This suggests that the group’s characteristics and tactics continue to evolve.
APT37 has also been tracked under the names Reaper, RedEyes, Ricochet Chollima, and ScarCruft, and unlike the Lazarus and Kimsuky threat clusters, which are part of the Reconnaissance General Bureau (RGB), is linked to the North Korean Ministry of State Security (MSS). I’m here.
According to the Google-owned Mandiant, MSS is tasked with “domestic counter-espionage and foreign counter-intelligence operations,” and APT37’s campaign reflects MSS’s priorities. The operation has historically singled out individuals such as North Korean defectors and human rights activists.
“APT37’s primary assessed mission is covert intelligence gathering to support North Korea’s strategic military, political, and economic interests,” the threat intelligence firm said.
Threat actors are known to rely on customized tools such as Chinotto, RokRat, BLUELIGHT, GOLDBACKDOOR, and Dolphin to gather sensitive information from compromised hosts.
In a report published on Tuesday, the AhnLab Security Emergency Response Center (ASEC) said, “A key feature of this RedEyes Group attack case is that it exploits a vulnerability in Hangul EPS and uses steganography techniques to extract malicious code. It has been distributed,” he said.
The infection chain observed in January 2023 begins with a decoy Hangul document. This document exploits a patched vulnerability (CVE-2017-8291) in word processing software to trigger a shellcode that downloads images from a remote server.
JPEG files use steganographic techniques to hide portable executable files. When this executable is launched, it downloads the M2RAT implant and injects it into the legitimate explorer.exe process.
Persistence is achieved by modifying the Windows registry, but M2RAT acts as a backdoor capable of keylogging, screen capture, process execution, and information theft. Like Dolphin, it is also designed to siphon data from removable disks and connected smartphones.
“These APT attacks are very difficult to defend against, and especially since the RedEyes group is known to primarily target individuals, it can be difficult for non-corporate individuals to even perceive the damage,” ASEC said. said.
This is not the first time CVE-2017-8291 has been weaponized by North Korean attackers. In late 2017, Lazarus Group was observed deploying Destover malware targeting cryptocurrency exchanges and users in South Korea, according to Recorded Future.
