The North Korea-linked danger actor tracked as APT37 has been connected to a piece of new malware dubbed M2RAT in attacks focusing on its southern counterpart, suggesting continued evolution of the group’s characteristics and strategies.
APT37, also tracked under the monikers Reaper, RedEyes, Ricochet Chollima, and ScarCruft, is an ingredient inside North Korea’s Ministry of State Security (MSS) compared with the Lazarus and Kimsuky danger clusters that are part of the Reconnaissance Typical Bureau (RGB).
According to Google-owned Mandiant, MSS is tasked with “domestic counterespionage and overseas counterintelligence pursuits,” with APT37’s attack campaigns reflective of the agency’s priorities. The operations have traditionally singled out individuals this sort of as defectors and human legal rights activists.
“APT37’s assessed primary mission is covert intelligence collecting in assistance of DPRK’s strategic armed service, political, and financial passions,” the danger intelligence business claimed.
The threat actor is acknowledged to depend on custom-made equipment these as Chinotto, RokRat, BLUELIGHT, GOLDBACKDOOR, and Dolphin to harvest delicate facts from compromised hosts.
“The main attribute of this RedEyes Group attack case is that it applied a Hangul EPS vulnerability and utilised steganography strategies to distribute destructive codes,” AhnLab Security Crisis response Heart (ASEC) stated in a report printed Tuesday.
The infection chain observed in January 2023 commences with a decoy Hangul document, which exploits a now-patched flaw in the phrase processing software package (CVE-2017-8291) to bring about shellcode that downloads an impression from a distant server.
The JPEG file employs steganographic approaches to conceal a transportable executable that, when introduced, downloads the M2RAT implant and injects it into the authentic explorer.exe approach.
While persistence is reached by signifies of a Windows Registry modification, M2RAT features as a backdoor capable of keylogging, screen seize, method execution, and information theft. Like Dolphin, it’s also built to siphon information from detachable disks and linked smartphones.
“These APT assaults are very tough to protect against, and the RedEyes team in particular is regarded to primarily focus on folks, so it can be tough for non-company people today to even realize the destruction,” ASEC claimed.
This is not the very first time CVE-2017-8291 has been weaponized by North Korean menace actors. In late 2017, the Lazarus Group was observed taking gain of the flaw in attacks targeting South Korean cryptocurrency exchanges and customers to deploy Destover malware, in accordance to Recorded Long run.
Identified this posting attention-grabbing? Stick to us on Twitter ๏ and LinkedIn to browse a lot more exceptional articles we article.
Some parts of this article are sourced from:
thehackernews.com
Webinar โ A MythBusting Special: 9 Myths about File-based Threats