Subscribe To Our Newsletter!

Stay up to date on the top trending threats as well as the top stories in Security, Networks, Cloud, IT Ops & AIOps.

Rokrat – Do You KNOW This Malware

North Korean threat actors have been using this malware to target victims in South Korea.

Post by Rajarshi Mitra Jan 12, 2021

KNOW is Netenrich’s threat intelligence platform and cybersecurity news aggregator. As per KNOW’s threat intel dashboard, Rokrat was the third most trending malware over the last seven days.

rokrat threat intel overview and description

What is Rokrat?

Rokrat is a cloud-based RAT (remote access tool) that’s used primarily by APT37, aka ScarCruft – an infamous North Korean threat – to target victims in South Korea. APT37 specifically used Rokrat during several campaigns between 2016 and 2018. They sent a malicious Hangual Word Processor (HWP) document in spearphishing emails to infect hosts.

How does Rokrat work?

It uses legit Twitter, Yandex, and Mediafire websites for its command and control communications and exfiltration platforms. This makes it challenging to block globally.
Upon infecting a device, this malware can execute various commands to move a file, remove a file, kill a process, download and execute a file, upload documents, capture screenshots, and log keystrokes.

Why is Rokrat trending?

ScarCruft has been recently involved in targeting the South Korean government by using a VBA self-decode technique to inject Rokrat. On December 7, 2020, a malicious document that was uploaded to VirusTotal was identified. This document pretended to be a meeting request, which was aimed at the South Korean government. The attack had apparently taken place a year back.

Twitter reacts

#1 Malwarebytes Threat Intelligence

#2 NK News

#3 Mihoko Matsubara

Rokrat references from KNOW

rokrat threat intel references from know

  • Total references: 791
  • Previous 60 days: 374
  • Last 7 days: 373

Rokrat threat intel context from KNOW

rokrat threat intelligence context from know

  • Related threat actors: ScarCruft and Turla Group.
  • Related intrusion methods: Malware, Phishing, Keylogger, ShellCode, Exploit, and Zero Day.
  • Industries targeted: Aerospace and Defense.
  • Hashes: 23
  • URLs: 1
  • Associated vulnerabilities: CVE-2018-4878

KNOW our powerful threat intelligence platform

know threat intelligence from netenrich

KNOW is Netenrich’s Threat Intel Platform that extracts data from billions of data points and correlates relevant intel and expert analyst insights to help you follow, search, and act—in a fraction of the time it takes now. However, Netenrich’s offering isn’t just limited to threat intelligence. We offer a powerful combination of threat and attack surface intelligence.

Threat and Attack Surface Intelligence will help your SecOps to:

  • Find hidden risks to your brand on the public Internet
  • Stay informed about threats in minutes versus hours
  • Act on the most critical threats first
  • Reduce effort and alert fatigue
  • Measure and demonstrate value.
Why did we create Knowledge NOW? Read our story

Find out more about Netenrich’s Attack Surface Intelligence (ASI) solution.

Hey, before you leave, we have this interesting article up on “Intelligent SOC.” Intelligent SOC leverages Netenrich Resolution Intelligence to evolve cybersecurity beyond the antiquated ticket-based model with modern AIOps-based architecture.

Want to read some more?

Yes I do!

About the Author

Rajarshi Mitra

Rajarshi is a creative and accomplished writer who made his mark in the blockchain space before stepping into cybersecurity. When he is not working, he is busy chilling with his wife and cat.

Subscribe To Our Newsletter!

The best source of information for Security, Networks, Cloud, and ITOps best practices. Join us.

Thank you for subscribing!

Related Post

Jan 13 2021

Turla Group: Do You KNOW This Threat Actor?

New evidence links the infamous SolarWinds hack to this threat actor.

Read More
Jan 11 2021

Nefilim, LuckyMouse, and CVE-2020-29583 – KNOW More

US officially blames Russia, and much more. Find out what happened last week.

Read More