BleepingComputer reports the North Korean state-sponsored threat group APT37, also known as RedEyes or ScarCruft, has been launching attacks with the new M2RAT information-stealing malware aimed at compromising Windows and mobile devices since last month.
Phishing emails sent by the attackers contain an attachment, which when opened prompts exploitation of the Hangul Encapsulated PostScript vulnerability, tracked as CVE-2017-8291, resulting in the execution of shellcode that ultimately leads to the download and execution of the M2RAT executable within a steganography-using JPEG image, an AhnLab Security Emergency response Center report showed.
Aside from featuring keylogging and command execution capabilities, M2RAT could also facilitate data theft and screenshot capturing from Windows systems and portable devices connected to Windows computers.
Researchers also found that a shared memory section is also being used by M2RAT for command-and-control communication, file exfiltration, and stolen data transfers, resulting in reduced C2 interactions and more challenging analysis on the part of security researchers.