M2RAT
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
In a new report released today by AhnLab Security Emergency response Center (ASEC), researchers explain how APT37 is now using a new malware strain called 'M2RAT' that uses a shared memory section for commands and data exfiltration and leaves very few operational traces on the infected machine. | Opening the attachment triggers the exploitation of an old EPS vulnerability (CVE-2017-8291) in the Hangul word processor commonly used in South Korea.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In a new report released today by AhnLab Security Emergency response Center (ASEC), researchers explain how APT37 is now using a new malware strain called 'M2RAT' that uses a shared memory section for commands and data exfiltration and leaves very few operational traces on the infected machine.
In a new report released today by AhnLab Security Emergency response Center (ASEC), researchers explain how APT37 is now using a new malware strain called 'M2RAT' that uses a shared memory section for commands and data exfiltration and leaves very few operational traces on the infected machine.
Techniques & procedures
14 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueThe recent attacks observed by ASEC started in January 2023, when the hacking group sent phishing emails containing a malicious attachment to their targets.
Execution
5 techniquesThe M2RAT backdoor acts as a basic remote access trojan that performs keylogging, data theft, command execution, and the taking of screenshots from the desktop.
For persistence on the system, the malware adds a new value ("RyPO") in the "Run" Registry key, with commands to execute a PowerShell script via "cmd.exe."
For persistence on the system, the malware adds a new value ("RyPO") in the "Run" Registry key, with commands to execute a PowerShell script via "cmd.exe."
Another interesting feature of M2RAT is that it uses a shared memory section for command and control (C2) communication, data exfiltration, and the direct transfer of stolen data to the C2 without storing them in the compromised system.
Opening the attachment triggers the exploitation of an old EPS vulnerability (CVE-2017-8291) in the Hangul word processor commonly used in South Korea.
Persistence
1 techniquePrivilege Escalation
2 techniquesThis JPG image file uses steganography... to stealthily introduce the M2RAT executable ("lskdjfei.exe") onto the system and inject it into "explorer.exe."
Stealth
2 techniquesThis JPG image file uses steganography, a technique that allows hiding code inside files, to stealthily introduce the M2RAT executable ("lskdjfei.exe") onto the system and inject it into "explorer.exe."
Credential Access
1 techniqueCollection
4 techniquesIf a portable device is detected, it will scan the device's contents for documents and voice recording files and, if found, copy them to the PC for exfiltration to the attacker's server.
The M2RAT backdoor acts as a basic remote access trojan that performs keylogging, data theft, command execution, and the taking of screenshots from the desktop.
The M2RAT backdoor acts as a basic remote access trojan that performs keylogging, data theft, command execution, and the taking of screenshots from the desktop.
Before exfiltration, the stolen data is compressed in a password-protected RAR archive, and the local copy is wiped from memory to eliminate any traces.
Exfiltration
1 techniqueAnother interesting feature of M2RAT is that it uses a shared memory section for command and control (C2) communication, data exfiltration, and the direct transfer of stolen data to the C2 without storing them in the compromised system.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
M2RAT is malware used in targeted espionage attacks and is listed as part of ScarCruft's custom malware arsenal.
A remote access trojan/backdoor used by APT37 for intelligence collection. It performs keylogging, data theft, command execution, screenshot capture, scans connected portable devices such as smartphones or tablets for documents and voice recordings, compresses stolen data into password-protected RAR archives, and uses shared memory for C2 communication and exfiltration to reduce forensic traces.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.