South Korean Lures Used to Deploy ROKRAT Malware
The North Korean threat actor known as APT37 has been observed changing deployment methods and using South Korean foreign and domestic affairs-themed lures with archives containing Windows shortcut (LNK) files that initiate ROKRAT infection chains.
“Our findings suggest that various multi-stage infection chains used to eventually load ROKRAT were utilized in other attacks, leading to the deployment of additional tools affiliated with the same actor,” explained Check Point Research (CPR) in an advisory published on Monday. “Those tools include another custom backdoor, Goldbackdoor, and the commodity malware Amadey.”
The security researchers clarified that ROKRAT infection chains, first spotted first in 2017, historically involved a malicious Hangul Word Processor (HWP) document with an exploit or a Microsoft Word document with macros.
“While some ROKRAT samples still use these techniques, we have observed a shift to delivering ROKRAT with LNK files disguised as legitimate documents,” CPR wrote. “This shift is not exclusive to ROKRAT but represents a larger trend that became very popular in 2022. In July of that year, Microsoft began blocking macros in Office applications by default in an effort to minimize the spread of malware.”
Read more on post-macro attacks: Hackers Change Tactics for New Post-Macro Era
Technically, ROKRAT mainly focuses on running additional payloads designed for data exfiltration.
“It relies on cloud infrastructure for C&C functions, including DropBox, pCloud, Yandex Cloud, and OneDrive,” CPR wrote in the advisory. “ROKRAT also collects information about the machine to prevent further infection of unintended victims.”
Further, the advisory clarifies that there are reasons behind ROKRAT being mostly unchanged in the last few years.
“This can be attributed to its slick use of in-memory execution, disguising C&C communication as potentially legitimate cloud communication, and additional layers of encryption to hinder network analysis and evade network signatures. As a result, there are not a lot of recently published articles about ROKRAT.”
The CPR advisory comes days after Mandiant experts warned of another APT associated with North Korea: APT43.