The malware supports commands, which collect information from the infected device. The screenshot-snapping function is also active and works autonomously without requiring a specific operator command. It also takes screenshots from the desktop. The M2RAT backdoor acts as a basic remote access trojan that performs keylogging, data theft, and command execution. With commands to execute a PowerShell script via “cmd.exe.” This same command was also present in a 2021 Kaspersky report about APT37. Then inject it into “explorer.exe.”įor persistence on the system, the malware adds a new value (“RyPO”) in the “Run” Registry key.
Use of steganography in cyber espionage code#
This a technique that allows hiding code inside files, to stealthily introduce the M2RAT executable (“lskdjfei.exe”) onto the system. It downloads and executes a malicious executed stored within a JPEG image. The exploit will cause shellcode to run on a victim’s computer. In the Hangul word processor commonly used in South Korea. The attachment triggers the exploitation of an old EPS vulnerability (CVE-2017-8291).
It is when the hacking group sends phishing emails containing a malicious attachments to their targets. The recent attacks observed by ASEC started in January 2023. This strain is called “M2RAT.” It uses steganography techniques to introduce the malware into the victim’s system and leaves very few operational traces. In a new report released by AhnLab Security Emergency Response Center (ASEC), researchers explain how APT37 is now using a new malware strain. It has recently been seen exploiting Internet Explorer zero-days and distributing various malware against targeted entities and individuals. APT37, a North Korean cyber espionage RedEyes hackers gets support from State.
0 kommentar(er)
