Thursday, September 23, 2021

North Korean hackers launch RokRat Trojan campaigns against the South Korean government

Must Read

Fines Less of a Concern than Reputational Damage for Public Sector Security

In a survey of 250 UK public sector professionals working in cybersecurity, risk, and data protection by Zivver, 52% of...

Transport for NSW confirms data theft in Accellion breach

Transport for New South Wales (TfNSW) has confirmed it will be affected by the cyberattack on the Accellion-run file...

Chrome will soon use HTTPS automatically when users type URL without prefix

Google's developers are some of the most enthusiastic promoters of browser security features over the past few years and,...

A North Korean hacking team is using the RokRat Trojan in a new wave of campaigns against the South Korean government authorities.

The Remote Access Trojan (RAT) has been linked to attacks based on the tap of a Korean language word processor widely utilized in South Korea for many years, specifically, the compromise of Hangul Office files (.HWP).

Before, the malware was utilized in phishing campaigns that lure victims through emails containing attachments with a political theme — such as Korean unification and North Korean human rights.

RokRat is thought to be the handiwork of APT37, also called ScarCruft, Reaper, and Group123. Active since 2012, in the least, the complex persistent threat group (APT) is probably state-sponsored, and tasked with targeting entities of significance to the North Korean ruling party.

The sample document claims to be a request for a meeting dated in early 2020, indicating that strikes have happened over the last year.

Malwarebytes states that the content of this document also indicates that it was”used to target the government of South Korea.”

The document doesn’t follow the conventional.HWP route of APT37; rather, an embedded macro uses a VBA self-evident technique to decode itself to the memory of Microsoft Office.

It follows that the malware doesn’t need to write itself to disk, possibly to prevent detection.

Once Microsoft Office was compromised, an unpacker stub then embeds a version of RokRat to Notepad software. By Malwarebytes, this technique allows the bypass of”several safety mechanisms” with very little effort.

To circumvent Microsoft safety, which prevents the macro dynamic implementation, the attackers first should skip the VB object model (VBOM) by changing registry values.

The malicious macro will check to find out if VBOM can be retrieved and will try to place the VBOM registry key to an if it has to be bypassed.

Based on the outcome of the check, like if the VBOM setup has been bypassed, the macro content might also be obfuscated, deobfuscated, and executed into memory.

The most important use of the payload is to make a module using shellcode to undermine Notepad before calling an encrypted document hosted on Google Drive that contains RokRat.

Once installed on a vulnerable server, RokRat will concentrate on harvesting data from the machine before sending it into attacker-controlled accounts with cloud-based providers such as Pcloud, Dropbox, Box, and Yandex.

The malware can steal documents, take screenshots, capture credentials, and tamper with document directories.

RokRat is a malware version that will also try to keep stealth by checking for sandboxes and the existence of VMWare, scan for debugging software, and assesses DLLs linked to Microsoft and iDefense.

In related news this week, Trustwave researchers recently found a new phishing campaign that deploys QRat into Windows machines.

Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

Leave a reply

Please enter your comment!
Please enter your name here

Latest News

Attackers Using Morse Code in phishing campaign to Evade Detection

Microsoft on Thursday revealed the techniques used by attackers to avoid detection using morse code in the phishing campaign.Microsoft...

Murata Manufacturing suffers data breach of employees and customer

Japanese electronic components manufacturer Murata has released an apology Notice for the data breach of thousands of files in June that contained bank account...

Everything about Signalling System 7(SS7)

Signaling System 7 (SS7) is an international telecommunication protocol standard that controls and regulates the network elements in a public switched telephone network (PSTN)....

Zimbra flaw lets attackers access the mail servers

Researchers discovered a flaw in the open-source Zimbra code. As a result, an attacker would gain unrestricted access to all sent and received emails...

Apple Releases patches for an actively exploited zero-day flaw in ios, macOS

Apple on Monday Release an urgent security patch for iOS,macOS, iPadOS, to address a zero-day flaw that has been actively exploited.Apple has revealed that...

More Articles Like This