BTC $66491.5139
ETH $3184.3983
BNB $601.6419
SOL $155.6108
stETH $3185.1637
XRP $0.5495
DOGE $0.1586
TON $5.8776
ADA $0.5099
AVAX $38.8942
wstETH $3708.0998
WBTC $66518.7062
DOT $7.3764
WETH $3184.7962
TRX $0.1114
BCH $512.3077
LINK $15.4337
MATIC $0.7334
UNI $8.1252
ICP $14.9003
LTC $84.7276
DAI $0.9990
CAKE $2.9972
RNDR $9.1863
IMX $2.3935
STX $3.0458
NEAR $6.9983
ETC $28.0765
FDUSD $1.0009
MNT $1.2093
FIL $6.5339
TAO $511.7762
OKB $54.7486
HBAR $0.0893
VET $0.0421
KAS $0.1250
ATOM $8.8532
GRT $0.3029
PEPE $0.0000
WIF $2.8536
FET $2.4350
MKR $2854.7795
INJ $28.3839
THETA $2.3975
USDE $0.9992
XLM $0.1167
CORE $2.5851
BTC $66491.5139
ETH $3184.3983
BNB $601.6419
SOL $155.6108
stETH $3185.1637
XRP $0.5495
DOGE $0.1586
TON $5.8776
ADA $0.5099
AVAX $38.8942
wstETH $3708.0998
WBTC $66518.7062
DOT $7.3764
WETH $3184.7962
TRX $0.1114
BCH $512.3077
LINK $15.4337
MATIC $0.7334
UNI $8.1252
ICP $14.9003
LTC $84.7276
DAI $0.9990
CAKE $2.9972
RNDR $9.1863
IMX $2.3935
STX $3.0458
NEAR $6.9983
ETC $28.0765
FDUSD $1.0009
MNT $1.2093
FIL $6.5339
TAO $511.7762
OKB $54.7486
HBAR $0.0893
VET $0.0421
KAS $0.1250
ATOM $8.8532
GRT $0.3029
PEPE $0.0000
WIF $2.8536
FET $2.4350
MKR $2854.7795
INJ $28.3839
THETA $2.3975
USDE $0.9992
XLM $0.1167
CORE $2.5851
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • Grouping RedEyes hides malicious code in images


    APT37 (aka RedEyes, ScarCruft, Ricochet Chollima, Reaper, Group123 or InkySquid) is a North Korean cyber espionage hacker group. It is believed that it is supported by the authorities of the DPRK. It was recently revealed that the group is using the new evasive malware M2RAT and steganography to gather intelligence.

    In 2022, APT37 was seen exploiting Internet Explorer zero-day vulnerabilities and spreading a wide range of malware against targeted organizations and individuals. For example, hackers attacked organizations based in the European Union with a new version of their mobile backdoor called "Dolphin", injected a custom RAT (Remote Access Trojan) called "Konni", and attacked US journalists with a customized malware called "Goldbackdoor".

    In a new report from the AhnLab Security Emergency Response Center (ASEC), researchers explain how APT37 is now using a new strain of malware called "M2RAT". It uses a section of shared memory to execute commands and delete data, leaving very little trace of the work on the infected machine.

    These attacks began in January 2023, when a hacker group sent phishing emails containing a malicious attachment to their targets. The principle is as follows: after opening the attachment, the old vulnerability CVE-2017-8291 in the Hangul text editor, commonly used in South Korea, goes into action. The exploit runs shellcode on the victim's computer, which in turn downloads and executes the malware stored in the JPEG image.

    The JPG file itself uses "steganography" - a technique that allows hackers to hide code within the files in order to discreetly inject the M2RAT executable ("lskdjfei.exe") into the system and inject it into "explorer.exe".

    To persist on the system, the malware adds a new value ("RyPO") to the "Run" registry key with commands to execute a PowerShell script via "cmd.exe". The same command was also seen in Kaspersky's 2021 report on APT37.

    The M2RAT backdoor acts like a regular remote access Trojan, performing keylogging, stealing data, executing commands, and taking desktop screenshots. The screen capture function is activated periodically and works autonomously without requiring a special operator command.

    Of particular interest is the malware's ability to scan portable devices connected to a Windows computer, such as smartphones or tablets. When a portable device is detected, the software scans its contents for documents and files with voice recording, and if detected, copies them to a computer for sending to an attacker. Before being exfiltrated, the stolen data is compressed into a password-protected RAR archive, and the local copy is erased from memory to eliminate any traces.

    Another interesting feature of M2RAT is that it uses a shared memory section to interact with the C2 server without being stored on the compromised system. Using a shared memory partition on the host minimizes communication with the C2 server and complicates threat analysis by researchers.

    APT37 continues to update its custom toolset with malware that is difficult to detect and analyze. These tools are especially useful in attacks on small organizations that are not prepared to detect and repel such attacks.

    Author DeepWeb
    A new way to hack Wi-Fi
    Immersion in another dimension: how hallucinations change our view of the world

    Comments 0

    Add comment