BTC $70823.7516
ETH $3531.0259
BNB $621.2790
SOL $172.6448
stETH $3527.9907
XRP $0.6083
DOGE $0.1997
TON $7.2456
ADA $0.5853
AVAX $46.2175
wstETH $4100.4456
DOT $8.4402
BCH $607.1354
WETH $3536.6758
WBTC $70909.4458
TRX $0.1219
LINK $17.6560
MATIC $0.8809
UNI $9.0821
ICP $15.6959
LTC $97.8636
CAKE $3.7041
DAI $0.9996
IMX $2.5675
ETC $33.6641
RNDR $9.1096
FIL $8.1342
STX $2.9994
MNT $1.2895
NEAR $6.8343
TAO $615.5692
VET $0.0503
ATOM $10.8915
HBAR $0.0996
OKB $56.9032
FDUSD $1.0028
WIF $3.3890
KAS $0.1440
MKR $3344.9389
PEPE $0.0000
GRT $0.3114
THETA $2.8807
INJ $31.7467
FET $2.5067
XLM $0.1297
XMR $134.0517
USDE $1.0001
BTC $70823.7516
ETH $3531.0259
BNB $621.2790
SOL $172.6448
stETH $3527.9907
XRP $0.6083
DOGE $0.1997
TON $7.2456
ADA $0.5853
AVAX $46.2175
wstETH $4100.4456
DOT $8.4402
BCH $607.1354
WETH $3536.6758
WBTC $70909.4458
TRX $0.1219
LINK $17.6560
MATIC $0.8809
UNI $9.0821
ICP $15.6959
LTC $97.8636
CAKE $3.7041
DAI $0.9996
IMX $2.5675
ETC $33.6641
RNDR $9.1096
FIL $8.1342
STX $2.9994
MNT $1.2895
NEAR $6.8343
TAO $615.5692
VET $0.0503
ATOM $10.8915
HBAR $0.0996
OKB $56.9032
FDUSD $1.0028
WIF $3.3890
KAS $0.1440
MKR $3344.9389
PEPE $0.0000
GRT $0.3114
THETA $2.8807
INJ $31.7467
FET $2.5067
XLM $0.1297
XMR $134.0517
USDE $1.0001
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • Grouping RedEyes hides malicious code in images


    APT37 (aka RedEyes, ScarCruft, Ricochet Chollima, Reaper, Group123 or InkySquid) is a North Korean cyber espionage hacker group. It is believed that it is supported by the authorities of the DPRK. It was recently revealed that the group is using the new evasive malware M2RAT and steganography to gather intelligence.

    In 2022, APT37 was seen exploiting Internet Explorer zero-day vulnerabilities and spreading a wide range of malware against targeted organizations and individuals. For example, hackers attacked organizations based in the European Union with a new version of their mobile backdoor called "Dolphin", injected a custom RAT (Remote Access Trojan) called "Konni", and attacked US journalists with a customized malware called "Goldbackdoor".

    In a new report from the AhnLab Security Emergency Response Center (ASEC), researchers explain how APT37 is now using a new strain of malware called "M2RAT". It uses a section of shared memory to execute commands and delete data, leaving very little trace of the work on the infected machine.

    These attacks began in January 2023, when a hacker group sent phishing emails containing a malicious attachment to their targets. The principle is as follows: after opening the attachment, the old vulnerability CVE-2017-8291 in the Hangul text editor, commonly used in South Korea, goes into action. The exploit runs shellcode on the victim's computer, which in turn downloads and executes the malware stored in the JPEG image.

    The JPG file itself uses "steganography" - a technique that allows hackers to hide code within the files in order to discreetly inject the M2RAT executable ("lskdjfei.exe") into the system and inject it into "explorer.exe".

    To persist on the system, the malware adds a new value ("RyPO") to the "Run" registry key with commands to execute a PowerShell script via "cmd.exe". The same command was also seen in Kaspersky's 2021 report on APT37.

    The M2RAT backdoor acts like a regular remote access Trojan, performing keylogging, stealing data, executing commands, and taking desktop screenshots. The screen capture function is activated periodically and works autonomously without requiring a special operator command.

    Of particular interest is the malware's ability to scan portable devices connected to a Windows computer, such as smartphones or tablets. When a portable device is detected, the software scans its contents for documents and files with voice recording, and if detected, copies them to a computer for sending to an attacker. Before being exfiltrated, the stolen data is compressed into a password-protected RAR archive, and the local copy is erased from memory to eliminate any traces.

    Another interesting feature of M2RAT is that it uses a shared memory section to interact with the C2 server without being stored on the compromised system. Using a shared memory partition on the host minimizes communication with the C2 server and complicates threat analysis by researchers.

    APT37 continues to update its custom toolset with malware that is difficult to detect and analyze. These tools are especially useful in attacks on small organizations that are not prepared to detect and repel such attacks.

    Author DeepWeb
    A new way to hack Wi-Fi
    Immersion in another dimension: how hallucinations change our view of the world

    Comments 0

    Add comment