Security researchers from Malwarebytes found that state-sponsored North Korean threat actor group APT37 is using RokRAT Trojan in a new wave of cyber operations targeted against the South Korean government. APT37, also known as ScarCruft, Reaper, and Group123, has been active since at least 2012.
“On December 7, 2020, we identified a malicious document uploaded to Virus Total, which was purporting to be a meeting request likely used to target the government of South Korea. The meeting date mentioned in the document was January 23, 2020, which aligns with the document compilation time of January 27, 2020, indicating that this attack took place almost a year ago,” Malwarebytes said.
The RokRAT Trojan
According to the researchers, the malicious document (meeting invite) contains an embedded macro that uses a VBA self-decoding procedure to decode itself within the memory spaces of Microsoft Office and then embeds a variant of the RokRat into Notepad. Earlier, APT37 exploited Hangul Office documents (hwp files) to target victims in South Korea because it is the most used software in South Korea. However, this time, the attackers used an alternative method by delivering the malware via self-decoding VBA Office files.
“We can consider this technique an unpacker stub, which is executed upon opening the document. This unpacker stub unpacks the malicious macro and writes it into the memory of Microsoft Office without being written to disk. This can easily bypass several security mechanisms. Microsoft by default disables the dynamic execution of the macro, and if an attacker needs to execute one dynamically — which is the case here — the threat actor needs to bypass the VB object model (VBOM) by modifying its registry value,” Malwarebytes added.
RokRAT’s Key Traits
- Capture Screenshots
- Gathers system info (Username, Computer name, BIOS)
- Data exfiltration to cloud services
- Stealing credentials
- File and directory management
Once successfully injected, the RokRAT Trojan harvests sensitive data from the victim’s machine and sends it to threat actors via cloud services like Pcloud, Dropbox, Box, and Yandex.
Indicators of Compromise
Maldoc:
3c59ad7c4426e8396369f084c35a2bd3f0caa3ba1d1a91794153507210a77c90
RokRAT:
676AE680967410E0F245DF0B6163005D8799C84E2F8F87BAD6B5E30295554E08
A42844FC9CB7F80CA49726B3589700FA47BDACF787202D0461C753E7C73CFD2A
2A253C2AA1DB3F809C86F410E4BD21F680B7235D951567F24D614D8E4D041576
C7CCD2AEE0BDDAF0E6C8F68EDBA14064E4A9948981231491A87A277E0047C0CB
