Go to listing page

APT37 Exploits Hangul Vulnerability with Highly-Evasive M2RAT Malware

APT37 Exploits Hangul Vulnerability with Highly-Evasive M2RAT Malware
The North Korean state-sponsored hacking group APT37, also known as RedEyes or ScarCruft, has recently added a new evasive malware dubbed M2RAT to its arsenal. The group is using the malware in conjunction with the steganography technique to target specific individuals and steal personal PC information and mobile phone data.

What happening?

AhnLab researchers found that the recent attacks started in January and APT37 is distributing malware through an old vulnerability in the Hangul Encapsulated PostScript (EPS).
  • The vulnerability (CVE-2017-8291) is a type-confusion vulnerability in Artifex Ghostscript, which can be exploited to execute arbitrary code.
  • The attackers send phishing emails containing malicious attachments that trigger the exploitation of the Hangul EPS vulnerability.
  • The exploit will cause the shellcode to run on a victim's computer that downloads a JPEG image from the attacker's C2 server and decrypts the encoded PE file.
  • This JPG image file uses steganography to evade network detection. The PE file stealthily introduces the M2RAT executable onto the system and injects it into explorer[.]exe and adds persistence to the system.

Interestingly, in this campaign, attackers seemed aware of targets using an old version of the Hangul word processor that supports EPS.

Malware capabilities

M2RAT performs basic remote control malware functions such as keylogging, data theft, and command execution or termination, and takes screenshots from the desktop periodically.
  • The malware uses a shared memory section for C2 communication and data exfiltration to make analysis harder.
  • It scans for portable devices connected to the Windows computer, such as smartphones or tablets, and copies data from these devices to the PC to exfiltrate it.
  • It directly transmits the stolen data as a password-protected compressed RAR archive to the attacker's server, rather than storing the stolen data in the victim system.
  • Lastly, it wipes the local copy from memory to eliminate any traces of the stolen data.

Overall, the malware is highly capable of evading detection and making analysis harder for security researchers.


APT37 continues to refresh its custom toolsets with evasive malware to make detection and analysis challenging. The group is consistent with its target strategy and intelligence collection motive. Moreover, targeting non-corporate individuals makes it difficult to recognize the damage caused by the group’s attacks. As Hangul is commonly used in South Korea, users are suggested to use threat detection tools and antivirus to stay safe stay safe against such threats.
Cyware Publisher