ROKRAT

Malware updated 4 months ago (2024-05-04T17:54:02.175Z)

Download STIX

Preview STIX

RokRAT is a sophisticated malware that has been used by the cyber-espionage group ScarCruft, primarily to target South Korean media and research organizations. The malware is typically delivered via phishing emails with ZIP file attachments containing LNK files disguised as Word documents. However, recent analysis by X-Force has revealed a shift in delivery methods, with Optical Disc Image files (ISO) containing slightly modified PowerShell scripts and decoy Hangul Word Processor (HWP) documents being used instead. When these LNK files are activated, they execute a PowerShell script, open a decoy document, and start the download process of RokRAT from cloud applications like OneDrive. The RokRAT campaigns have seen the use of various shellcode variants and public tooling, including two oversized LNK files named "inteligence.lnk" and "news.lnk". These malicious LNK files execute PowerShell code when opened, which extracts a decoy Kimsuky PDF document and fetches a hex-encoded file named story.txt from the cloud. According to SentinelLabs, RokRAT is likely to be at the center of a wave of targeted cybersecurity attacks, primarily for intelligence collection aligned with North Korean strategic interests. In one active campaign analyzed by SentinelLabs, ScarCruft repeatedly targeted specific individuals with the goal of delivering RokRAT, a custom backdoor that enables a variety of surveillance types on targeted entities. In addition to South Korean targets, RokRAT has also been used against international entities. As reported by Kaspersky, ScarCruft targeted a trading company linked to Russia and North Korea using a novel phishing attack chain that culminated in the delivery of RokRAT (also known as BlueLight) malware. APT 37, another threat actor, initially used RokRAT to hack the email account of a former director at South Korea’s National Intelligence Service. The activities related to the dallynk[.]com domain match those seen in previously reported ScarCruft activity using the RokRAT backdoor, suggesting a commonality in techniques and tools used by these threat actors.

Description last updated: 2024-05-04T16:24:31.609Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
DOGCALL	3	Dogcall, also known as ROKRAT, is a remote access Trojan (RAT) malware first reported by Talos in April 2017. It has consistently been attributed to the Advanced Persistent Threat (APT37) group, also known as Reaper. The malware uses third-party hosting services for data upload and command acceptanc
Amadey	3	Amadey is a sophisticated malware that has been identified as being used in various malicious campaigns. The malware is typically delivered through GuLoader, a loader known for its use in protecting payloads against antivirus detection. Analysis of the infection chains revealed encrypted Amadey payl
BLUELIGHT	2	The BLUELIGHT malware, first observed in early 2021, was used as the final payload in a multistage attack. This attack involved a watering-hole assault on a South Korean online newspaper, an Internet Explorer exploit, and another ScarCruft backdoor. The attack process included multiple components li
Bluelight Malware	2	The Bluelight malware is a harmful software program designed to exploit and damage computer systems. It was identified by Volexity in a recent investigation, where it was found being delivered to a victim alongside another malware, RokRAT. The Bluelight malware infiltrates systems through suspicious
Rambleon	2	RambleOn is a newer version of the ROKRAT malware, specifically designed for Android devices. ROKRAT, also known as DOGCALL, has been a favored tool of cyber attackers and has evolved over time to be compatible with various platforms including macOS (CloudMensis) and Android (RambleOn). This demonst

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Windows

Phishing

Payload

Backdoor

Korean

Decoy

Rat

Apt

Encryption

Macos

Android

Exploit

Trojan

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
APT37	Unspecified	6	APT37, also known as ScarCruft, Reaper, or Group123, is a threat actor suspected to be linked to North Korea. It primarily targets South Korea but has also extended its activities to Japan, Vietnam, and the Middle East, focusing on various industry verticals such as chemicals, electronics, manufactu
ScarCruft	Unspecified	5	ScarCruft, also known as APT37, Inky Squid, RedEyes, Reaper, or Group123, is a North Korean threat actor group associated with malicious cyber activities. Their actions have been linked to the execution of targeted attacks against individual Android devices, as outlined in a VB2023 paper titled "Int
InkySquid	has used	2	InkySquid, also known as ScarCruft and APT37, is a threat actor believed to be associated with North Korea. This group has been identified as the exclusive user of RokRAT, a closed-source malware family. The actions of this group are monitored by cybersecurity firms such as Volexity, which uses the

Source Document References

Information about the ROKRAT Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Checkpoint	7 months ago	29th January – Threat Intelligence Report - Check Point Research
DARKReading	8 months ago	North Korea's ScarCruft Attackers Gear Up to Target Cybersecurity Pros
CERT-EU	a year ago	Lazarus Group Targeting Defense Experts with Fake Interviews via Trojanized VNC Apps
CERT-EU	a year ago	APT trends report Q3 2023
CERT-EU	a year ago	Connect the Dots on State-Sponsored Cyber Incidents - Targeting of journalists reporting on North Korea
CERT-EU	a year ago	Comrades in Arms? \| North Korea Compromises Sanctioned Russian Missile Engineering Company
Securityaffairs	a year ago	North Korea compromised Russian missile engineering firm NPO Mashinostroyeniya
CERT-EU	a year ago	North Korean cyber spies hacked sanctioned Russian missile engineering firm
CERT-EU	a year ago	North Korean Hackers Targets Russian Missile Engineering Firm
CERT-EU	a year ago	APT trends report Q2 2023 – GIXtools
Securelist	a year ago	APT trends report Q2 2023
CERT-EU	a year ago	ScarCruft Hackers Exploit Ably Service for Stealthy Wiretapping Attacks
InfoSecurity-magazine	a year ago	RedEyes Group Targets Individuals with Wiretapping Malware
CERT-EU	a year ago	ScarCruft Hackers Exploit Ably Service for Stealthy Wiretapping Attacks
CERT-EU	a year ago	Anomali Cyber Watch: APT37 Adopts LNK Files, Charming Kitten Uses BellaCiao Implant-Dropper, ViperSoftX Infostealer Unique Byte Remapping Encryption
SecurityIntelligence.com	a year ago	ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People's Republic of Korea (DPRK)
MITRE	2 years ago	Korea In The Crosshairs
MITRE	2 years ago	ScarCruft continues to evolve, introduces Bluetooth harvester
MITRE	2 years ago	NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea
MITRE	2 years ago	ROKRAT Reloaded