The notorious APT37, a North Korea-linked threat actor, has recently been spotted utilizing a new piece of malware called M2RAT in its ongoing attacks against its southern neighbor. These developments signify a further evolution of the group’s tools and tactics.
APT37, also known as Reaper, RedEyes, Ricochet Chollima, and ScarCruft, is associated with North Korea’s Ministry of State Security (MSS). According to Mandiant, an intelligence firm owned by Google, MSS is responsible for “domestic counterespionage and overseas counterintelligence activities,” with APT37’s attacks in line with the agency’s priorities. These operations have historically targeted individuals, such as defectors and human rights activists.
Mandiant also stated that “APT37’s assessed primary mission is covert intelligence gathering in support of DPRK’s strategic military, political, and economic interests.”
APT37 is infamous for its use of customized tools like Chinotto, RokRat, BLUELIGHT, GOLDBACKDOOR, and Dolphin, to extract sensitive data from hacked hosts.
The recent attack observed in January 2023 began with a deceptive Hangul document that takes advantage of a previously fixed defect in the word processing software (CVE-2017-8291) to activate a shellcode that downloads an image from a remote server. The JPEG file conceals a portable executable using steganography techniques that, when launched, download the M2RAT implant and inject it into the legitimate explorer.exe process.
M2RAT acts as a backdoor with the ability to perform keylogging, screen capture, process execution, and data theft. The malware achieves persistence by adjusting the Windows Registry. It is also designed to extract data from removable disks and connected smartphones, similar to Dolphin.
These APT attacks are incredibly challenging to safeguard against, with RedEyes Group primarily targeting individuals. This makes it challenging for non-corporate individuals to recognize the damage. The use of CVE-2017-8291 by North Korean threat actors is not new. In late 2017, the Lazarus Group used the flaw to deploy Destover malware in attacks targeting South Korean cryptocurrency exchanges and users.
In conclusion, organizations must be cautious and have security measures in place to detect these types of attacks. They should also have a contingency plan to respond to incidents effectively. The danger posed by APT37 cannot be underestimated, and its sophisticated tools and techniques call for robust defenses.
Thank you very much for sharing, I learned a lot from your article. Very cool. Thanks. nimabi