In January, the ASEC (AhnLab Security Emergency response Center) analysis team discovered that the RedEyes threat group (also known as APT37, ScarCruft) had been distributing malware by exploiting the HWP EPS (Encapsulated PostScript) vulnerability (CVE-2017-8291). This report will share the RedEyes group’s latest activity in Korea.
The RedEyes group is known for targeting specific individuals and not corporations, stealing not only personal PC information but also the mobile phone data of their targets. A distinct characteristic of the latest RedEyes group attack is the fact that they exploited the HWP EPS vulnerability using the steganography technique to distribute their malware.
The HWP EPS vulnerability used in the attacks is an old vulnerability that has already been patched in the latest version of the Hangul Word Processor. We assume that the threat actor initiated their attacks after checking in advance if their targets (individuals) were using an older version of HWP that supports EPS. Furthermore, there is a confirmed past case where the RedEyes group used the steganography technique to distribute malware. In 2019, Kaspersky shared a report saying that the ScarCruft (RedEyes) group’s downloader used the steganography technique to download additional malware.
The usage of the steganography technique to download malware and the RUN key command for autorun registration to establish a consistent connection with the C&C server being similar to the format used by the RedEye group in the past are the reasons why we believe they had done this attack.