APT37 Malware Deployed by North Korea to Target South Korea

On February 15, 2023, Google-owned Mandiant identified a new piece of malware, M2RAT, linked to the North Korea-linked threat actor, APT37. This attack campaign is reflective of the priorities of North Korea’s Ministry of State Security (MSS), which is tasked with domestic counterespionage and overseas counterintelligence activities.

The infection chain commences with a decoy Hangul document which exploits a now-patched flaw in the word processing software (CVE-2017-8291) to trigger shellcode that downloads an image from a remote server. The image uses steganographic techniques to conceal a portable executable that, when launched, downloads the M2RAT implant and injects it into the legitimate explorer.exe process. M2RAT is designed to be a backdoor capable of keylogging, screen capture, process execution, and information theft.

AhnLab Security Emergency response Center (ASEC) noted that these APT attacks are very difficult to defend against, and can be difficult for non-corporate individuals to even recognize the damage. This is not the first time CVE-2017-8291 has been weaponized by North Korean threat actors; in late 2017, the Lazarus Group was observed targeting South Korean cryptocurrency exchanges and users to deploy Destover malware, according to Recorded Future.

APT37 continues to evolve its tactics and features, making it increasingly difficult to defend against.