Security News > 2023 > February > RedEyes hackers use new malware to steal data from Windows, phones
The APT37 threat group uses a new evasive 'M2RAT' malware and steganography to target individuals for intelligence collection.
The threat actors targeted EU-based organizations with a new version of their mobile backdoor named 'Dolphin,' deployed a custom RAT called 'Konni,' and targeted U.S. journalists with a highly-customizable malware named 'Goldbackdoor.
In a new report released today by AhnLab Security Emergency response Center, researchers explain how APT37 is now using a new malware strain called 'M2RAT' that uses a shared memory section for commands and data exfiltration and leaves very few operational traces on the infected machine.
For persistence on the system, the malware adds a new value in the "Run" Registry key, with commands to execute a PowerShell script via "Cmd.exe." This same command was also seen in a 2021 Kaspersky report about APT37.
Another interesting feature of M2RAT is that it uses a shared memory section for command and control communication, data exfiltration, and the direct transfer of stolen data to the C2 without storing them in the compromised system.
Using a memory section on the host for the above functions minimizes the exchange with the C2 and makes analysis harder, as security researchers have to analyze the memory of infected devices to retrieve the commands and data used by the malware.
News URL
Related news
- Windows users targeted with fake human verification pages delivering malware (source)
- Chinese Hackers Exploit GeoServer Flaw to Target APAC Nations with EAGLEDOOR Malware (source)
- Hackers deploy AI-written malware in targeted attacks (source)
- New Windows Malware Locks Computer in Kiosk Mode (source)
- N. Korean Hackers Deploy New KLogEXE and FPSpy Malware in Targeted Attacks (source)
- FIN7 hackers launch deepfake nude “generator” sites to spread malware (source)
- N. Korean Hackers Use Fake Interviews to Infect Developers with Cross-Platform Malware (source)
- Iranian hackers now exploit Windows flaw to elevate privileges (source)
- North Korean ScarCruft Exploits Windows Zero-Day to Spread RokRAT Malware (source)
- Russia targets Ukrainian conscripts with Windows, Android malware (source)