- How to clear the cache on your Windows 11 PC (and why you shouldn't wait to do it)
- These Sony headphones deliver premium sound and comfort - without the premium price
- The LG soundbar I prefer for my home theater slaps with immersive audio - and it's not the newest model
- Samsung's new flagship laptop rivals the MacBook Pro, and it's not just because of the display
- Email marketing is back and big social is panicking - everything you need to know
South Korean Lures Used to Deploy ROKRAT Malware
The North Korean threat actor known as APT37 has been observed changing deployment methods and using South Korean foreign and domestic affairs-themed lures with archives containing Windows shortcut (LNK) files that initiate ROKRAT infection chains.
“Our findings suggest that various multi-stage infection chains used to eventually load ROKRAT were utilized in other attacks, leading to the deployment of additional tools affiliated with the same actor,” explained Check Point Research (CPR) in an advisory published on Monday. “Those tools include another custom backdoor, Goldbackdoor, and the commodity malware Amadey.”
The security researchers clarified that ROKRAT infection chains, first spotted first in 2017, historically involved a malicious Hangul Word Processor (HWP) document with an exploit or a Microsoft Word document with macros.
“While some ROKRAT samples still use these techniques, we have observed a shift to delivering ROKRAT with LNK files disguised as legitimate documents,” CPR wrote. “This shift is not exclusive to ROKRAT but represents a larger trend that became very popular in 2022. In July of that year, Microsoft began blocking macros in Office applications by default in an effort to minimize the spread of malware.”
Read more on post-macro attacks: Hackers Change Tactics for New Post-Macro Era
Technically, ROKRAT mainly focuses on running additional payloads designed for data exfiltration.
“It relies on cloud infrastructure for C&C functions, including DropBox, pCloud, Yandex Cloud, and OneDrive,” CPR wrote in the advisory. “ROKRAT also collects information about the machine to prevent further infection of unintended victims.”
Further, the advisory clarifies that there are reasons behind ROKRAT being mostly unchanged in the last few years.
“This can be attributed to its slick use of in-memory execution, disguising C&C communication as potentially legitimate cloud communication, and additional layers of encryption to hinder network analysis and evade network signatures. As a result, there are not a lot of recently published articles about ROKRAT.”
The CPR advisory comes days after Mandiant experts warned of another APT associated with North Korea: APT43.
