Rewterz Threat Advisory – ICS: Siemens TIA Multiuser Server and Siemens TIA Project-Server Vulnerability
February 16, 2023Rewterz Threat Advisory – CVE-2023-0616 – Mozilla Thunderbird Vulnerability
February 17, 2023Rewterz Threat Advisory – ICS: Siemens TIA Multiuser Server and Siemens TIA Project-Server Vulnerability
February 16, 2023Rewterz Threat Advisory – CVE-2023-0616 – Mozilla Thunderbird Vulnerability
February 17, 2023Severity
Medium
Analysis Summary
APT37, also known as Reaper, is a threat actor group that has been associated with North Korea’s government. This group has been active for several years and has been linked to a range of cyber espionage and cyber attack campaigns, targeting a wide range of organizations in different industries and countries.
Recently, researchers has linked APT37 to a new malware strain called M2RAT, a remote access trojan (RAT) that can be used to gain remote access to a compromised system, steal data, and execute commands. This malware is capable of bypassing antivirus and intrusion detection systems, making it difficult to detect and remove. According to researchers, the Ministry of State Security is tasked with domestic counterespionage and overseas counterintelligence activities, with APT37’s attack campaigns reflecting the agency’s priorities. The operations have historically targeted individuals such as defectors and human rights activists, indicating a focus on political and ideological objectives.
APT37 has been linked to a range of customized tools that it uses to harvest sensitive information from compromised hosts. These tools include Chinotto, RokRat, BLUELIGHT, GOLDBACKDOOR, and Dolphin. These tools are designed to evade detection and allow the threat actor to gain remote access to compromised systems, steal data, and execute commands.
“The main characteristics of this RedEyes group attack case are the use of the Hangul EPS vulnerability and the spread of malicious code using the steganography technique.”
In January 2023, the threat actors used a decoy Hangul document to initiate an infection chain using the now-patched vulnerability in the word processing software (CVE-2017-8291) to trigger shellcode that downloads an image from a remote server. The decoy Hangul document is designed to exploit the CVE-2017-8291 vulnerability, which allows the execution of arbitrary code through a specially crafted document. This vulnerability has been patched by Microsoft, but it is still possible that some systems may be vulnerable if they have not been updated with the latest security patches.
Once the shellcode is executed, it downloads an image from a remote server, which is then used to launch the M2RAT malware.
M2RAT is capable of keylogging, screen capture, process execution, and information theft. Like other malware used by APT37, M2RAT is designed to be persistent on the compromised system, with persistence achieved through a Windows Registry modification. M2RAT is also capable of siphoning data from removable disks and connected smartphones, similar to another tool used by APT37, Dolphin. This highlights the advanced capabilities of APT37 and its evolving tactics in cyber espionage and cyber attack campaigns.
“These APT attacks are very difficult to defend against, and in particular, the RedEyes group is known to mainly attack individuals, so it may be difficult for non-corporate individuals to even recognize the damage” research conclude.
Impact
- Information Theft
- Keylogging
- Screen Capturing
Indicators of Compromise
MD5
- 7bab405fbc6af65680443ae95c30595d
SHA-256
- f2bb03cd2570c2ba1f2f43b2dd70e484881b28bf0ad96306716f6455abef1a06
SHA-1
- 00dedd40e1c2148fa895eea35a5d406555b99e33
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
- Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
- Upgrade to the latest version of CVE-2022-41128 here.
- In addition, users should be aware of phishing emails and their attachments, as they are the most common attack vector of this group. Furthermore, disabling the protected view and verifying the set cookie before launching the exploit can also help in preventing the attack.
- Do not download document ?les attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
- Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets