This is how M2RAT works, the malware that is capable of emptying bank accounts in seconds

Malware, or malicious software, can infiltrate the system of your mobile device or PC to steal your data. The M2RAT is among the most dangerous today, since it can empty bank accounts in seconds, among other damages.

Its origin is in North Korea, with attacks directed at its neighboring rival, South Korea. As pointed out The Hacker News, Threat actor APT37, pushed by the Kim Jong-un government, created the powerful malware.

APT37 is also known by the nicknames Reaper, RedEyes, Ricochet Chillima, and ScarCruft. It is unknown if he is a person or a group of people.

“APT37’s primary assessed mission is covert intelligence gathering in support of the strategic military, political, and economic interests of the Democratic People’s Republic of Korea,” explained Mandiant, a threat intelligence firm.

But how does M2RAT work?

APT37’s M2RAT malware roadmap

The M2RAT malware uses a Hangul EPS vulnerability, with steganography techniques to distribute malicious code.

The infection chain begins with a decoy Hangul document, which exploits a flaw (patched when corruption was known) in word processing software CVE-2017-8291 to activate a shellcode that downloads an image from a remote server.


The JPEG file uses steganographic techniques to hide a portable executable that, when launched, downloads the M2RAT implant, infecting the legitimate explorer.exe process, according to The Hacker News.

What does the virus do?

  • It registers keys, each code that the person enters on their device.
  • Capture screens.
  • Runs processes without prompt or permission.
  • Steals user information.
  • Divert data from removable drives and connected smartphones.

Hence, any data that is handled through the device or PC is susceptible to being stolen by M2RAT, including that related to bank accounts.