RedEyes Hacking Group

RedEyes Hacking Group (aka APT37), a threat group known for its cyber espionage activities, has recently adopted a new tactic in its efforts to collect intelligence from targeted individuals. 

This group is now using a sophisticated malware called “M2RAT,” which is specifically designed to evade detection by security software. 

In addition to using M2RAT, APT37 is also utilizing steganography, a technique that hides information within seemingly innocuous files or images, to further conceal their activities.

The APT37 hacking group is thought to be supported by North Korea, and it operates in cyberespionage. While APT37 is also known by other names like:-

  • RedEyes
  • ScarCruft

Initiates with Phishing

During the year 2022, this notorious hacking group was observed taking advantage of zero-day vulnerabilities in the popular web browser, Internet Explorer. 

This group utilized these exploits as part of their efforts to distribute various types of malware to their targeted entities and individuals.

A recent series of cyber attacks was observed by the AhnLab Security Emergency Response Center (ASEC). These attacks began in January 2023 and involved the targeted distribution of phishing emails containing malicious attachments to selected victims. 

The attackers utilized social engineering tactics to entice their targets into opening the email and downloading the attachment.

When a user opens the malicious attachment that was distributed in the recent series of cyber-attacks, it triggers the exploitation of an old EPS vulnerability, which is identified as CVE-2017-8291

This vulnerability is present in the Hangul word processor, which is commonly used in South Korea.

A particular exploit has been identified that can allow an attacker to run a shellcode on a victim’s computer. This exploit is designed to be triggered when a user opens a JPEG image that has been tampered with by the attacker.

Once the exploit is triggered, it causes the victim’s computer to download and execute a malicious payload that is stored within the JPEG image.

The group of threat actors directed their attention towards various organizations based in the European Union, deploying a new variant of their mobile backdoor known as “Dolphin.” 

In addition to this, the group also utilized a customized remote access trojan (RAT) called “Konni” in their attacks.

The attackers also targeted journalists located in the United States with a highly-flexible type of malware referred to as “Goldbackdoor,” which allows for a range of customization options depending on the attackers’ objectives.

The M2RAT malware employs a shared memory section to communicate and transfer data, as well as to conceal its activities, leaving minimal traces on the infected device.

C&C of M2RAT and Commands

The M2RAT malware, which is utilized by the APT37 threat group, employs a particular method for communicating with the attacker’s C&C server. Specifically, M2RAT receives commands from the server by embedding them within the body of the POST method. 

This allows the attacker to send instructions to the malware in a manner that is more difficult for security software to detect.

Here below we have mentioned all the commands used:-

  • OKR: Commands received at the time of initial C&C communication connection
  • URL: Registry key value modification for C&C update
  • UPD: Update the C&C you are currently connected to
  • RES: C&C connection termination (M2RAT termination)
  • UNI: C&C connection termination (M2RAT termination)
  • CMD: Execute remote control commands (keylogging, process creation/execution, etc.)

In order to identify the victim system, the attacker server of M2RAT uses the host’s MAC address as an identifier. In this case, the attacker’s server uses the encoded value of the MAC address to identify the victim’s computer.

Windows and Mobile Devices are Targeted by M2RAT

M2RAT enables the attackers to gain remote access to an infected system and carry out a range of malicious activities, and these include:- 

  • Keylogging
  • Data theft
  • Command execution
  • Taking of screenshots from the desktop

Screenshots are taken periodically and the feature is operated without the need for an operator to give a specific command for it to be activated.

In particular, it is interesting to note that the malware is able to scan the Windows computer for any portable devices connected to it.

Upon detection of a portable device, a scan will be performed to identify any documents and voice recordings contained on the device. If it detects any file, it copies the detected files and later exfiltrates them to a server controlled by the attacker.

There has been a steady rise in APT37’s use of evasive malware that is difficult to detect and analyze as part of its custom toolkit.

Network Security Checklist – Download Free E-Book

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.