A North Korean threat actor known as APT37 has modified its deployment method and used archives containing Windows shortcut (LNK) files to initiate the ROKRAT infection chain, using lures themed on South Korean diplomatic and domestic issues. It has been observed to
In an advisory published Monday, Check Point Research (CPR) said, “Our findings indicate that the various multi-stage infection chains that were ultimately used to load ROKRAT were leveraged in other attacks. , suggesting that additional tools associated with the same actor were deployed.” “These tools included another custom backdoor, Goldbackdoor, and commodity malware Amadey.”
First discovered in 2017, ROKRAT’s infection chain historically involved malicious Hangul Word Processor (HWP) documents containing exploits or Microsoft Word documents containing macros, security researchers reveal Did.
“Some samples of ROKRAT still use these techniques, but they tend to deliver ROKRAT containing LNK files masquerading as legitimate documents,” CPR wrote. “This change is not specific to ROKRAT, but represents a larger trend that has become very common in 2022. , began blocking macros in Office applications by default.”
Read more about post-macro attacks: Hackers change tactics for new post-macro era
Technically, ROKRAT is primarily focused on executing additional payloads designed for data exfiltration.
“C&C capabilities rely on cloud infrastructure such as DropBox, pCloud, Yandex Cloud and OneDrive,” CPR wrote in the advisory. “ROKRAT also collects information about machines to prevent further infection of unintended victims.”
Additionally, the advisory reveals why ROKRAT has changed so little over the past few years.
“This may be due to the clever use of in-memory execution, disguising C&C communications as potentially legitimate cloud communications, and an additional layer of encryption to thwart network analysis and avoid network signatures. As a result, not many recent articles on ROKRAT have been published.”
The CPR advisory comes days after Mandiant experts warned about another APT linked to North Korea, APT43.
