A new North Korean malware M2RAT, discovered by ASEC researchers (Translation here) is in the wild. It begins with a phishing attack, installing its malware via a downloaded jpeg using steganography. Then the malware performs keylogging, data theft, command execution, and the taking of screenshots from the desktop. As if that’s not intrusive enough, it locates any attached portable devices such as phones, scans them for documents and voice recording files and transfers them to the attacker’s servers.
The malware is being used by the RedEyes attack group (aka APT37, ScarCruft), a North Korean cyber espionage hacking group believed to be state-supported. The group targets personal PC information and mobile phone data of specific individuals, not companies. The malware is distributed through the Hangul word processor EPS vulnerability (CVE-2017-8291). The vulnerability used in the attack is old and has been patched in newer versions of the word processor. The attackers seemed to know in advance that the targets are using the older version of the word processor that supports the EPS.
James Lively, Endpoint Security Research Specialist for Tanium:
“While M2RAT, the capabilities, and the delivery process are indicative of a state-sponsored APT, the initial access vectors are the real highlight here. Phishing and exploiting unpatched services and software are generally the easiest and most cost-effective methods to gain access to a target network.
“APTs have a reputation for operating solely out of memory while using encrypted communications to their C2’s. It’s difficult to detect malicious activity within memory without escalating costs and business disruptions. Combined with encrypted C2 communications, network analyzers are often rendered ineffective since they cannot identify traffic. Based on these factors, it’s extraordinarily difficult to identify a sophisticated attacker, such as an APT, once they have gained a foothold inside of a network.”
“It’s important for organizations to employ phishing training and campaigns often, ideally monthly or quarterly, to raise employee awareness and help them identify and report phishing attempts. Unpatched services and software allow attackers to use even decade old vulnerabilities to gain access. Proper asset management, inventory, and patching are critical to fortifying an enterprise against attackers seeking low hanging fruit. It only takes one employee to click a malicious link or unpatched system to compromise a network and potentially the entire enterprise.
While this is highly targeted malware, I suspect it’s a matter of time before attacks become broader in nature. Thus my advice would be to ensure that every endpoint, server, mobile phone, etc is fully patch to defend against this and other threats.
Like this:
Like Loading...
Related
This entry was posted on February 16, 2023 at 8:00 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
A North Korean Espionage Group Is Using M2RAT Malware For Cyber Espionage
A new North Korean malware M2RAT, discovered by ASEC researchers (Translation here) is in the wild. It begins with a phishing attack, installing its malware via a downloaded jpeg using steganography. Then the malware performs keylogging, data theft, command execution, and the taking of screenshots from the desktop. As if that’s not intrusive enough, it locates any attached portable devices such as phones, scans them for documents and voice recording files and transfers them to the attacker’s servers.
The malware is being used by the RedEyes attack group (aka APT37, ScarCruft), a North Korean cyber espionage hacking group believed to be state-supported. The group targets personal PC information and mobile phone data of specific individuals, not companies. The malware is distributed through the Hangul word processor EPS vulnerability (CVE-2017-8291). The vulnerability used in the attack is old and has been patched in newer versions of the word processor. The attackers seemed to know in advance that the targets are using the older version of the word processor that supports the EPS.
James Lively, Endpoint Security Research Specialist for Tanium:
“While M2RAT, the capabilities, and the delivery process are indicative of a state-sponsored APT, the initial access vectors are the real highlight here. Phishing and exploiting unpatched services and software are generally the easiest and most cost-effective methods to gain access to a target network.
“APTs have a reputation for operating solely out of memory while using encrypted communications to their C2’s. It’s difficult to detect malicious activity within memory without escalating costs and business disruptions. Combined with encrypted C2 communications, network analyzers are often rendered ineffective since they cannot identify traffic. Based on these factors, it’s extraordinarily difficult to identify a sophisticated attacker, such as an APT, once they have gained a foothold inside of a network.”
“It’s important for organizations to employ phishing training and campaigns often, ideally monthly or quarterly, to raise employee awareness and help them identify and report phishing attempts. Unpatched services and software allow attackers to use even decade old vulnerabilities to gain access. Proper asset management, inventory, and patching are critical to fortifying an enterprise against attackers seeking low hanging fruit. It only takes one employee to click a malicious link or unpatched system to compromise a network and potentially the entire enterprise.
While this is highly targeted malware, I suspect it’s a matter of time before attacks become broader in nature. Thus my advice would be to ensure that every endpoint, server, mobile phone, etc is fully patch to defend against this and other threats.
Share this:
Like this:
Related
This entry was posted on February 16, 2023 at 8:00 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.