In a recent surge of attacks against the officials of the South Korean regime, a North Korean hacker squad uses the RokRat Trojan.
For several years, the Remote Access Trojan (RAT) has been associated with attacks based on the tap of a Korean language word processor commonly used in South Korea, especially the compromise of Hangul Office files (HWP).
The malware has previously been used in phishing campaigns that draw victims via emails containing political-themed attachments such as Korean unification and North Korean human rights.
The handiwork of APT37, also named ScarCruft, Reaper, and Group123 is thought to be RokRat. The dynamic persistent threat group (APT) is potentially state-sponsored and charged with targeting institutions of importance to the North Korean ruling party, active since 2012, at least.
The sample paper appears to be a conference order dated early 2020, suggesting that strikes have occurred in the past year.
Malwarebytes notes that this document’s content also confirms that it was “used to hack the South Korean government.”
The document does not follow APT37’s conventional.HWP route; instead, an integrated macro uses a self-evident VBA method to transcribe itself into Microsoft Office memory.
It implies that the malware does not have to write to the disk itself, probably to avoid detection.
An unpacker stub then embeds a clone of RokRat into Notepad applications until Microsoft Office has been corrupted. This approach makes the bypass of “several safety mechanisms” by Malwarebytes with very little effort.
To bypass Microsoft authentication, which prevents dynamic macro deployment, attackers can first skip the VB Object Model (VBOM) by modifying registry values.
To figure out whether VBOM can be retrieved, the malicious macro can search and attempt to position the VBOM registry key if it needs to be bypassed.
Dependent on the result of the check, the macro content could also be obfuscated, deobfuscated, and executed into memory, as if the VBOM configuration had been bypassed.
Until naming an encrypted file hosted on Google Drive containing RokRat, the most significant usage of the payload is to render a module utilizing shellcode to weaken Notepad.
Once enabled on a compromised server, before sending it to attacking player accounts, RokRat would focus on extracting data from the machine with cloud-based services such as Pcloud, Dropbox, Box, and Yandex.
The malware can steal data, take snapshots, grab passwords, and manipulate folders of documents.
RokRat is a version of malware that will often attempt to keep stealth by searching for sandboxes and VMWare presence, testing for applications for debugging, and analyzing Microsoft and iDefense-related DLLs.
Trustwave analysts recently noticed a new phishing campaign in similar news this week that deploys QRat on Windows computers.