Security News > 2023 > February > RedEyes hackers use new malware to steal data from Windows, phones
The APT37 threat group uses a new evasive 'M2RAT' malware and steganography to target individuals for intelligence collection.
The threat actors targeted EU-based organizations with a new version of their mobile backdoor named 'Dolphin,' deployed a custom RAT called 'Konni,' and targeted U.S. journalists with a highly-customizable malware named 'Goldbackdoor.
In a new report released today by AhnLab Security Emergency response Center, researchers explain how APT37 is now using a new malware strain called 'M2RAT' that uses a shared memory section for commands and data exfiltration and leaves very few operational traces on the infected machine.
For persistence on the system, the malware adds a new value in the "Run" Registry key, with commands to execute a PowerShell script via "Cmd.exe." This same command was also seen in a 2021 Kaspersky report about APT37.
Another interesting feature of M2RAT is that it uses a shared memory section for command and control communication, data exfiltration, and the direct transfer of stolen data to the C2 without storing them in the compromised system.
Using a memory section on the host for the above functions minimizes the exchange with the C2 and makes analysis harder, as security researchers have to analyze the memory of infected devices to retrieve the commands and data used by the malware.
News URL
Related news
- FIN7 hackers launch deepfake nude “generator” sites to spread malware (source)
- N. Korean Hackers Use Fake Interviews to Infect Developers with Cross-Platform Malware (source)
- Iranian hackers now exploit Windows flaw to elevate privileges (source)
- North Korean ScarCruft Exploits Windows Zero-Day to Spread RokRAT Malware (source)
- Russia targets Ukrainian conscripts with Windows, Android malware (source)
- New SteelFox malware hijacks Windows PCs using vulnerable driver (source)
- North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS (source)
- North Korean hackers use new macOS malware against crypto firms (source)
- New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus (source)
- Unpatched Mazda Connect bugs let hackers install persistent malware (source)