Saturday, June 12, 2021

North Korean hackers launch RokRat Trojan campaigns against the South Korean government

Must Read

Proof of concept exploit code published for new Kerberos Bronze Bit attack

The Kerberos Bronze Bit attack may allow intruders to bypass authentication and access network services that are sensitive. Proof-of-concept exploits...

Months after cyber-attack, Stolen Data from London Council Published Online By hackers

The Information that was stolen has been published on the darknet. Sensitive data stolen from Hackney Council in the UK...

Plex Media servers are being actively abused for DDoS attacks

DDoS-for-hire services are actively abusing plex Media Server systems as a UDP reflection/amplification vector in Distributed Denial of Service...

A North Korean hacking team is using the RokRat Trojan in a new wave of campaigns against the South Korean government authorities.

The Remote Access Trojan (RAT) has been linked to attacks based on the tap of a Korean language word processor widely utilized in South Korea for many years, specifically, the compromise of Hangul Office files (.HWP).

Before, the malware was utilized in phishing campaigns that lure victims through emails containing attachments with a political theme — such as Korean unification and North Korean human rights.

RokRat is thought to be the handiwork of APT37, also called ScarCruft, Reaper, and Group123. Active since 2012, in the least, the complex persistent threat group (APT) is probably state-sponsored, and tasked with targeting entities of significance to the North Korean ruling party.

The sample document claims to be a request for a meeting dated in early 2020, indicating that strikes have happened over the last year.

Malwarebytes states that the content of this document also indicates that it was”used to target the government of South Korea.”

The document doesn’t follow the conventional.HWP route of APT37; rather, an embedded macro uses a VBA self-evident technique to decode itself to the memory of Microsoft Office.

It follows that the malware doesn’t need to write itself to disk, possibly to prevent detection.

Once Microsoft Office was compromised, an unpacker stub then embeds a version of RokRat to Notepad software. By Malwarebytes, this technique allows the bypass of”several safety mechanisms” with very little effort.

To circumvent Microsoft safety, which prevents the macro dynamic implementation, the attackers first should skip the VB object model (VBOM) by changing registry values.

The malicious macro will check to find out if VBOM can be retrieved and will try to place the VBOM registry key to an if it has to be bypassed.

Based on the outcome of the check, like if the VBOM setup has been bypassed, the macro content might also be obfuscated, deobfuscated, and executed into memory.

The most important use of the payload is to make a module using shellcode to undermine Notepad before calling an encrypted document hosted on Google Drive that contains RokRat.

Once installed on a vulnerable server, RokRat will concentrate on harvesting data from the machine before sending it into attacker-controlled accounts with cloud-based providers such as Pcloud, Dropbox, Box, and Yandex.

The malware can steal documents, take screenshots, capture credentials, and tamper with document directories.

RokRat is a malware version that will also try to keep stealth by checking for sandboxes and the existence of VMWare, scan for debugging software, and assesses DLLs linked to Microsoft and iDefense.

In related news this week, Trustwave researchers recently found a new phishing campaign that deploys QRat into Windows machines.

Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.


Please enter your comment!
Please enter your name here

Latest News

An error of coding results attacker will delete a live video of Facebook

Facebook has solved the problem of Programming errors on live video services that allow attackers to successfully remove video...

What is a Cyber Attack or Virtual Attack

Firstly We Wil Discuss About Cyberattack or we will also say virtual attack. A Cyberattack is a type of attack that will be done...

Firefox 88 start disabling FTP with removal set for Firefox 90

Firefox 88 update has disabled File Transfer Protocol (FTP) support completely from the browser. The handling of clicking on FTP links from within Firefox...

Google Project Zero giving The 30-day grace period for user patch adoption

Google Project Zero will be shifting from a fairly hard 90-day deadline to a new model that incorporates a new 30-day grace period to...

Parking app ParkMobile experiences data breach of 21M Users

The popular mobile app that drivers use to pay and find available public parking in Pittsburgh and in other cities experienced a data breach...

More Articles Like This