New activity by APT37, North Korea's RedEyes group.
N2K logoFeb 16, 2023

The threat actor uses steganography to download malware.

New activity by APT37, North Korea's RedEyes group.

North Korea’s APT37 (also known as “RedEyes or “StarCruft”) is distributing a new strain of malware dubbed “M2RAT,” according to a report from AhnLab Security Emergency Response Center (ASEC).

Old Hangul vulnerability used to deliver malware.

ASEC spotted M2RAT being distributed via phishing emails last month. The emails contain documents that will execute shellcode by exploiting an EPS vulnerability in the Hangul word processor, which BleepingComputer notes is commonly used in South Korea. The shellcode will download a JPEG image to the victim’s machine, then uses steganography to extract code that will download M2RAT. The malware is designed to exfiltrate data via keylogging and screenshotting. M2RAT will also scan for mobile devices that are connected to the infected machine, and will transfer any documents or voice recordings to the PC.

Threat actor targets individuals.

ASEC explains that APT37 usually targets “human rights activists, journalists, and North Korean defectors.” The researchers note that since the threat actor targets individuals and personal devices rather than companies with expensive security solutions, the victims often don’t know they’ve been compromised.

Industry comment.

James Lively, Endpoint Security Research Specialist at Tanium offered the following observations:

“While M2RAT, the capabilities, and the delivery process are indicative of a state-sponsored APT, the initial access vectors are the real highlight here. Phishing and exploiting unpatched services and software are generally the easiest and most cost-effective methods to gain access to a target network.

“APTs have a reputation for operating solely out of memory while using encrypted communications to their C2’s. It’s difficult to detect malicious activity within memory without escalating costs and business disruptions. Combined with encrypted C2 communications, network analyzers are often rendered ineffective since they cannot identify traffic. Based on these factors, it’s extraordinarily difficult to identify a sophisticated attacker, such as an APT, once they have gained a foothold inside of a network.

“It’s important for organizations to employ phishing training and campaigns often, ideally monthly or quarterly, to raise employee awareness and help them identify and report phishing attempts. Unpatched services and software allow attackers to use even decade old vulnerabilities to gain access. Proper asset management, inventory, and patching are critical to fortifying an enterprise against attackers seeking low hanging fruit. It only takes one employee to click a malicious link or unpatched system to compromise a network and potentially the entire enterprise.”