A North Korean hacking team is using the RokRat Trojan in a new wave of campaigns against the South Korean government authorities.
The Remote Access Trojan (RAT) has been linked to attacks based on the tap of a Korean language word processor widely utilized in South Korea for many years, specifically, the compromise of Hangul Office files (.HWP).
Before, the malware was utilized in phishing campaigns that lure victims through emails containing attachments with a political theme — such as Korean unification and North Korean human rights.
RokRat is thought to be the handiwork of APT37, also called ScarCruft, Reaper, and Group123. Active since 2012, in the least, the complex persistent threat group (APT) is probably state-sponsored, and tasked with targeting entities of significance to the North Korean ruling party.
The sample document claims to be a request for a meeting dated in early 2020, indicating that strikes have happened over the last year.
Malwarebytes states that the content of this document also indicates that it was”used to target the government of South Korea.”
The document doesn’t follow the conventional.HWP route of APT37; rather, an embedded macro uses a VBA self-evident technique to decode itself to the memory of Microsoft Office.
It follows that the malware doesn’t need to write itself to disk, possibly to prevent detection.
Once Microsoft Office was compromised, an unpacker stub then embeds a version of RokRat to Notepad software. By Malwarebytes, this technique allows the bypass of”several safety mechanisms” with very little effort.
To circumvent Microsoft safety, which prevents the macro dynamic implementation, the attackers first should skip the VB object model (VBOM) by changing registry values.
The malicious macro will check to find out if VBOM can be retrieved and will try to place the VBOM registry key to an if it has to be bypassed.
Based on the outcome of the check, like if the VBOM setup has been bypassed, the macro content might also be obfuscated, deobfuscated, and executed into memory.
The most important use of the payload is to make a module using shellcode to undermine Notepad before calling an encrypted document hosted on Google Drive that contains RokRat.
Once installed on a vulnerable server, RokRat will concentrate on harvesting data from the machine before sending it into attacker-controlled accounts with cloud-based providers such as Pcloud, Dropbox, Box, and Yandex.
The malware can steal documents, take screenshots, capture credentials, and tamper with document directories.
RokRat is a malware version that will also try to keep stealth by checking for sandboxes and the existence of VMWare, scan for debugging software, and assesses DLLs linked to Microsoft and iDefense.
In related news this week, Trustwave researchers recently found a new phishing campaign that deploys QRat into Windows machines.