RokRat Trojan Used By North Korean Attackers To Target South Korea
A North Korean group of attackers has been discovered sending the RokRat Trojan in another lance-phishing effort focusing on the South Korean government. Connecting the assault to APT37 (otherwise known as Starcruft, Ricochet Chollima, or Reaper), Malwarebytes stated that they recognized a vindictive doc earlier in December that, when clicked and opened, a macro is executed inside the memory to introduce the previously mentioned RAT – remote access tool.
The researchers from Malwarebytes in an article explained that “The file contains an embedded macro that uses a VBA self decoding technique to decode itself within the memory spaces of Microsoft Office without writing to the disk. It then embeds a variant of the RokRat into Notepad”.
Accepted to be active in any event since 2012, the Reaper APT is known for its attention on open public and private agencies mainly in South Korea, over synthetics, hardware, fabricating, aviation, car, and medical services elements. From that point forward, the victimology of the attackers has extended past the Korean landmass to incorporate different countries of the Middle East. Some of them are Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, etc. Earlier the past assaults utilized malware-bound Hangul Word Processor (HWP) records, the utilization of self-decrypting VBA Office documents to convey RokRat, hints the purpose of an adjustment in strategies for APT37, the specialists describe.
The Microsoft VBA archive that was transferred to VirusTotal in December suspected to be a gathering demand scheduled for January 23, 2020, suggesting that assaults occurred very nearly a year back. Boss among the obligations of the implanted macro in the document is to infuse the shellcode to a Notepad.exe cycle that downloads the RokRat payload in encoded design via a Google Drive URL. Cisco Talos was the first who freely and publicly mentioned RokRat in 2017, is a RAT preferred by the APT37 group who is using it since 2016 for a number of various missions. A backdoor dispersed through trojanized docs is a complete fit for catching screen captures, logging keystrokes, avoiding examination with hostile to virtual machine recognitions, and utilizing distributed cloud storage APIs, for example, Box, Yandex, and Dropbox.
“The case we analyzed is one of the few where they did not use HWP files as their phish documents and instead used Microsoft Office documents weaponized with a self decode macro. That technique is a clever choice that can bypass several static detection mechanisms and hide the main intent of a malicious document”, stated researchers while concluding.
The cloud administration-based RAT received an update in 2019 to acquire tools and functions to manage stealing data of Bluetooth devices being a component of extracting data from trading and investment companies of Russia and Vietnam and an agency of Hong Kong.
If you like this article, follow us on Twitter, Facebook, Instagram, and Linkedin.