The North Korean threat actor known as APT37 has been observed changing its deployment methods and using South Korean domestic and foreign affairs-themed decoys with files containing Windows Shortcut (LNK) files which start ROKRAT infection chains.
“Our findings suggest that multiple multi-stage infection chains used to ultimately load ROKRAT were used in other attacks, leading to the deployment of additional tools affiliated with the same actor,” Check Point Research (CPR) explained in a advisory issued Monday. “These tools include another custom backdoor, Goldbackdoor, and the Amadey malware.”
Security researchers clarified that ROKRAT’s infection chains, first detected in 2017, historically involved a malicious Hangul Word Processor (HWP) document with an exploit or a Microsoft Word document with macros.
“While some ROKRAT samples still use these techniques, we have noticed a shift in delivering ROKRAT with LNK files disguised as legitimate documents,” CPR wrote. “This change is not unique to ROKRAT, but represents a larger trend that became very popular in 2022. In July of that year, Microsoft began blocking macros in Office applications by default in an effort to minimize the spread of malware.”
Read more about post-macro attacks: Hackers are changing tactics for the new post-macro era
Technically, ROKRAT mainly focuses on running additional payloads designed for data exfiltration.
“It relies on cloud infrastructure for C&C functions, including DropBox, pCloud, Yandex Cloud and OneDrive,” CPR wrote in the notice. “ROKRAT also collects information about the machine to prevent further infections of unintended victims.”
In addition, the notice clarifies that there are reasons why ROKRAT has not changed much in recent years.
“This can be attributed to its clever use of in-memory execution, disguising C&C communication as potentially legitimate cloud communication, and additional layers of encryption to hinder network analysis and evade network signatures. As a result, there are not many recently published articles about ROKRAT.”
CPR’s warning comes days after Mandiant experts warned of another APT associated with North Korea: APT43.
Ikaroa has recently been made aware of a sophisticated cyber attack wherein a malicious South Korean group deployed ROKRAT malware to lure victims into clicking on a malicious link. This malware is capable of infiltrating a victim’s computer and stealing sensitive information.
Recent reports have revealed that sophisticated attackers have been exploiting legitimate South Korean lures to lure potential targets into falling for this malware. The lures includes emails associated with South Korean websites, created to appear as though they are from legitimate companies.
Once a target has received the malicious email, it will prompt the recipient to click a link, which in turn downloads and installs the ROKRAT malware. This malware is designed to steal credentials and other sensitive information, and can also inject malicious code into a target’s system. Once downloaded, the malware can capture keystrokes, screenshots, and even log in details, allowing cyber criminals to track victims’ activities and gain access to their data.
At Ikaroa, we take cyber security seriously and strongly advise all users to not click on any unknown links or emails, even if they appear to be from a legitimate company. Furthermore, it is always recommended that users keep their systems updated with the latest security patches and anti-virus software in order to protect themselves from such cyber-attacks.
We also urge users to be mindful of their computer activity and be alert for any suspicious activity that might suggest that their system is being manipulated by an external actor. If a user suspects their computer of being infected with ROKRAT malware, they should immediately contact their local security experts to investigate and take action.
Ikaroa is committed to equipping users with the latest information and knowledge in the field of cyber security, and providing them with the tools necessary to protect themselves and their data. We believe that educating users on cyber security is the best way to stay safe online and protect against sophisticated cyber threats.