ROKRAT

Malware updated a month ago (2024-11-29T13:58:22.215Z)

Download STIX

Preview STIX

RokRAT is a form of malware that has been utilized in cyber-espionage campaigns primarily targeting South Korean entities. It is typically delivered via phishing emails containing ZIP file attachments, which contain LNK files disguised as Word documents. When the LNK file is activated, a PowerShell script is executed, opening a decoy document to initiate the download process of RokRAT from cloud applications such as OneDrive. In recent RokRAT-related files analyzed by X-Force, instead of a ZIP file, Optical Disc Image files (ISO) were found containing LNK files with slightly modified PowerShell scripts and Hangul Word Processor decoy documents (HWP). The group behind these attacks, known as APT37 or ScarCruft, has consistently used RokRAT in their operations, including a notable attack exploiting a 1-click WPS Office bug to deliver the malware without any user interaction. The group has been particularly active against South Korean media and research organizations, delivering RokRAT via malicious documents. Interestingly, APT37 also targeted a trading company linked to Russia and North Korea using a novel phishing attack chain that culminated in the delivery of RokRAT. In one specific campaign, two oversized LNK files named "inteligence.lnk" and "news.lnk" were used. These LNK files, when opened, execute PowerShell code which extracts a decoy PDF document and fetches a hex-encoded file from the cloud. This process goes through two more shellcode stages before ultimately executing the Windows executable payload without any disk involvement, deploying RokRAT. The group's activities seem aligned with the efforts of North Korea's Ministry of State Security (MSS), indicating an intelligence collection motive. The SentinelLabs report suggests that RokRAT will continue to be at the center of cybersecurity targeting efforts in the foreseeable future.

Description last updated: 2024-11-15T16:18:23.950Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
DOGCALL is a possible alias for ROKRAT. Dogcall, also known as ROKRAT, is a remote access Trojan (RAT) malware first reported by Talos in April 2017. It has consistently been attributed to the Advanced Persistent Threat (APT37) group, also known as Reaper. The malware uses third-party hosting services for data upload and command acceptanc	3
Amadey is a possible alias for ROKRAT. Amadey is a malicious software (malware) that has been known since 2018 and is notorious for stealing credentials from popular browsers and various Virtual Network Computing (VNC) systems. The malware, which is often sold in underground forums, uses sophisticated techniques to infect systems, includ	3
Bluelight Malware is a possible alias for ROKRAT. The Bluelight malware is a harmful software program designed to exploit and damage computer systems. It was identified by Volexity in a recent investigation, where it was found being delivered to a victim alongside another malware, RokRAT. The Bluelight malware infiltrates systems through suspicious	2
Rambleon is a possible alias for ROKRAT. RambleOn is a newer version of the ROKRAT malware, specifically designed for Android devices. ROKRAT, also known as DOGCALL, has been a favored tool of cyber attackers and has evolved over time to be compatible with various platforms including macOS (CloudMensis) and Android (RambleOn). This demonst	2
BLUELIGHT is a possible alias for ROKRAT. The BLUELIGHT malware, first observed in early 2021, was used as the final payload in a multistage attack. This attack involved a watering-hole assault on a South Korean online newspaper, an Internet Explorer exploit, and another ScarCruft backdoor. The attack process included multiple components li	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Windows

Phishing

Payload

Backdoor

Korean

Decoy

Rat

Exploit

Apt

Android

Encryption

Macos

Trojan

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The APT37 Threat Actor is associated with ROKRAT. APT37, also known as RedAnt, RedEyes, ScarCruft, and Group123, is a threat actor suspected to be backed by North Korea. It has been active since at least 2012, primarily targeting South Korea across various industry verticals such as chemicals, electronics, manufacturing, aerospace, automotive, and	Unspecified	6
The ScarCruft Threat Actor is associated with ROKRAT. ScarCruft, also known as APT37, Inky Squid, RedEyes, Reaper, or Group123, is a North Korean state-sponsored threat actor known for targeting high-value individuals and organizations to further North Korea's geopolitical objectives. This group has shown its agility in adopting new malware delivery me	Unspecified	5
The InkySquid Threat Actor is associated with ROKRAT. InkySquid, also known as ScarCruft and APT37, is a threat actor believed to be associated with North Korea. This group has been identified as the exclusive user of RokRAT, a closed-source malware family. The actions of this group are monitored by cybersecurity firms such as Volexity, which uses the	has used	2

Source Document References

Information about the ROKRAT Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	2 months ago	DPRK Uses Microsoft Zero-Day in No-Click Toast Attacks
Checkpoint	a year ago	29th January – Threat Intelligence Report - Check Point Research
DARKReading	a year ago	North Korea's ScarCruft Attackers Gear Up to Target Cybersecurity Pros
CERT-EU	a year ago	Lazarus Group Targeting Defense Experts with Fake Interviews via Trojanized VNC Apps
CERT-EU	a year ago	APT trends report Q3 2023
CERT-EU	a year ago	Connect the Dots on State-Sponsored Cyber Incidents - Targeting of journalists reporting on North Korea
CERT-EU	a year ago	Comrades in Arms? \| North Korea Compromises Sanctioned Russian Missile Engineering Company
Securityaffairs	a year ago	North Korea compromised Russian missile engineering firm NPO Mashinostroyeniya
CERT-EU	a year ago	North Korean cyber spies hacked sanctioned Russian missile engineering firm
CERT-EU	a year ago	North Korean Hackers Targets Russian Missile Engineering Firm
CERT-EU	a year ago	APT trends report Q2 2023 – GIXtools
Securelist	a year ago	APT trends report Q2 2023
CERT-EU	2 years ago	ScarCruft Hackers Exploit Ably Service for Stealthy Wiretapping Attacks
InfoSecurity-magazine	2 years ago	RedEyes Group Targets Individuals with Wiretapping Malware
CERT-EU	2 years ago	ScarCruft Hackers Exploit Ably Service for Stealthy Wiretapping Attacks
CERT-EU	2 years ago	Anomali Cyber Watch: APT37 Adopts LNK Files, Charming Kitten Uses BellaCiao Implant-Dropper, ViperSoftX Infostealer Unique Byte Remapping Encryption
SecurityIntelligence.com	2 years ago	ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People's Republic of Korea (DPRK)
MITRE	2 years ago	Korea In The Crosshairs
MITRE	2 years ago	ScarCruft continues to evolve, introduces Bluetooth harvester
MITRE	2 years ago	NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea