What is Rokrat?
Rokrat is a cloud-based RAT (remote access tool) that’s used primarily by APT37, aka ScarCruft – an infamous North Korean threat – to target victims in South Korea. APT37 specifically used Rokrat during several campaigns between 2016 and 2018. They sent a malicious Hangual Word Processor (HWP) document in spearphishing emails to infect hosts.
How does Rokrat work?
It uses legit Twitter, Yandex, and Mediafire websites for its command and control communications and exfiltration platforms. This makes it challenging to block globally.
Upon infecting a device, this malware can execute various commands to move a file, remove a file, kill a process, download and execute a file, upload documents, capture screenshots, and log keystrokes.
Why is Rokrat trending?
ScarCruft has been recently involved in targeting the South Korean government by using a VBA self-decode technique to inject Rokrat. On December 7, 2020, a malicious document that was uploaded to VirusTotal was identified. This document pretended to be a meeting request, which was aimed at the South Korean government. The attack had apparently taken place a year back.
#1 Malwarebytes Threat Intelligence
— Malwarebytes Threat Intelligence (@MBThreatIntel) January 6, 2021
#2 NK News
NEW: North Korean hacker group APT37 is weaponizing MS Word documents in spear-phishing attacks.
Malicious code found in lure documents downloads and installs malware "likely used to target the government of South Korea," according to a recent report.https://t.co/yvOaPa6Ui4
— NK NEWS (@nknewsorg) January 7, 2021
#3 Mihoko Matsubara
A North Korean hacking group is utilizing the RokRat Trojan in a fresh wave of campaigns against the South Korean government, compromising Hangul Office documents (.HWP). RokRat is believed to be the handiwork of APT37, active since 2012 at least. https://t.co/suWa2xHTHu
— Mihoko Matsubara (@M_Miho_JPN) January 8, 2021
Rokrat references from KNOW
- Total references: 791
- Previous 60 days: 374
- Last 7 days: 373
Rokrat threat intel context from KNOW
- Related threat actors: ScarCruft and Turla Group.
- Related intrusion methods: Malware, Phishing, Keylogger, ShellCode, Exploit, and Zero Day.
- Industries targeted: Aerospace and Defense.
- Hashes: 23
- URLs: 1
- Associated vulnerabilities: CVE-2018-4878
KNOW our powerful threat intelligence platform
KNOW is Netenrich’s Threat Intel Platform that extracts data from billions of data points and correlates relevant intel and expert analyst insights to help you follow, search, and act—in a fraction of the time it takes now. However, Netenrich’s offering isn’t just limited to threat intelligence. We offer a powerful combination of threat and attack surface intelligence.
Threat and Attack Surface Intelligence will help your SecOps to:
- Find hidden risks to your brand on the public Internet
- Stay informed about threats in minutes versus hours
- Act on the most critical threats first
- Reduce effort and alert fatigue
- Measure and demonstrate value.
Find out more about Netenrich’s Attack Surface Intelligence (ASI) solution.
Hey, before you leave, we have this interesting article up on “Intelligent SOC.” Intelligent SOC leverages Netenrich Resolution Intelligence to evolve cybersecurity beyond the antiquated ticket-based model with modern AIOps-based architecture.
Want to read some more?Yes I do!
Subscribe To Our Newsletter!
The best source of information for Security, Networks, Cloud, and ITOps best practices. Join us.
Thank you for subscribing!