Threat Database Malware M2RAT Malware

M2RAT Malware

The APT37 threat group is known for using sophisticated tactics and techniques to conduct cyber espionage operations on behalf of the North Korean government. This group is known by the aliases 'RedEyes' or 'ScarCruft.'

The group APT37 has been observed using a new evasive malware called 'M2RAT' to target individuals for intelligence collection. This malware uses steganography, which is the practice of hiding information within digital images, to avoid detection by security software. APT37's use of steganography makes it more difficult for security analysts to detect and analyze their malware, which in turn makes it more challenging to prevent or mitigate their attacks. Details about M2RAT and its threatening campaign were released in a report by the cybersecurity researchers at AhnLab Security Emergency Response Center (ASEC).

M2RAT Malware’s Infection Chain

According to ASEC, the threatening APT37 campaign started in January 2023, with the hackers launching a series of cyber attacks that used corrupted attachments to target victims. When the weaponized attachments are executed, they exploit an old EPS vulnerability (CVE-2017-8291) found in the Hangul word processor widely used in South Korea. The exploit triggers a shellcode to run on the victim's computer, which then downloads a bad executable stored inside a JPEG image. This JPG file is modified by the threat actors using steganography, allowing the M2RAT executable ('lskdjfei.exe') to be stealthily injected into 'explorer.exe.' For persistence on the system, the malware adds a new value ('RyPO') to the 'Run' Registry key, which executes a PowerShell script via 'cmd.exe.'

The Threatening Capabilities of the M2RAT Malware

The M2RAT Malware acts as a Remote Access Trojan with multiple harmful features, such as keylogging, data theft, command execution and the taking of periodic screenshots. It has the ability to scan for portable devices connected to a Windows computer, like smartphones or tablets, and it will then copy any documents or voice recording files found on the device onto the infected PC for the attackers to review.

All collected data is compressed into a password-protected RAR archive before being exfiltrated, and the local copy of the data is wiped from memory to ensure there are no traces left behind. An interesting feature of M2RAT is that it uses a shared memory section for communication with its Command-and-Control (C2, C&C) server, data exfiltration, and the direct transfer of collected data to the C2 server, making it more difficult for security researchers to analyze the memory of infected devices.

By utilizing these features, M2RAT makes it easier for attackers to gain access and give commands to the compromised system, as well as assemble data from the device. This makes it a potent threat that all users should be aware of.

M2RAT Malware Video

Tip: Turn your sound ON and watch the video in Full Screen mode.


Most Viewed