Home>Blog>The Hacker News Headlines>ALERT: North Korean hackers targeting South Korea with RokRat Trojan
The Hacker News Headlines

ALERT: North Korean hackers targeting South Korea with RokRat Trojan

North Korea malware attackNorth Korea malware attack

A North Korean hacking group has been found deploying the
RokRat Trojan in a new spear-phishing campaign targeting the
South Korean government.

Attributing the attack to APT37[1]
(aka Starcruft, Ricochet Chollima, or Reaper), Malwarebytes said it
identified a malicious document last December that, when opened,
executes a macro in memory to install the aforementioned remote
access tool (RAT).

“The file contains an embedded macro that uses a VBA self
decoding technique to decode itself within the memory spaces of
Microsoft Office without writing to the disk. It then embeds a
variant of the RokRat into Notepad,” the researchers noted[2]
in a Wednesday analysis.

Believed to be active at least since 2012, the Reaper
APT[3] is known for its focus
on public and private entities primarily in South Korea, such as
chemicals, electronics, manufacturing, aerospace, automotive, and
healthcare entities. Since then, their victimization has expanded
beyond the Korean peninsula to include Japan, Vietnam, Russia,
Nepal, China, India, Romania, Kuwait, and other parts of the Middle
East.

While the previous attacks leveraged malware-laced Hangul Word
Processor (HWP) documents, the use of self-decoding VBA Office
files to deliver RokRat suggests a change in tactics for APT37, the
researchers said.

The Microsoft VBA document uploaded to VirusTotal[4]
in December purported to be a meeting request dated January 23,
2020, implying that attacks took place almost a year ago.

Chief among the responsibilities of the macro embedded in the
file is to inject shellcode to a Notepad.exe process that downloads
the RokRat payload in encrypted format from a Google Drive URL.

RokRat[5]
— first publicly documented by Cisco Talos[6]
in 2017 — is a RAT of choice for APT37, with the group using it for
a number of campaigns since 2016. A Windows-based backdoor
distributed via trojanized documents, it’s capable of capturing
screenshots, logging keystrokes, evading analysis with anti-virtual
machine detections, and leveraging cloud storage APIs such as Box,
Dropbox, and Yandex.

In 2019, the cloud service-based RAT gained additional features[7] to steal Bluetooth
device information as part of an intelligence-gathering effort
directed against investment and trading companies in Vietnam and
Russia and a diplomatic agency in Hong Kong.

“The case we analyzed is one of the few where they did not use
HWP files as their phish documents and instead used Microsoft
Office documents weaponized with a self decode macro,” the
researchers concluded. “That technique is a clever choice that can
bypass several static detection mechanisms and hide the main intent
of a malicious document.”

References

  1. ^
    APT37
    (malpedia.caad.fkie.fraunhofer.de)
  2. ^
    noted
    (blog.malwarebytes.com)
  3. ^
    Reaper
    APT     (attack.mitre.org)
  4. ^
    VirusTotal
    (www.virustotal.com)
  5. ^
    RokRat
    (malpedia.caad.fkie.fraunhofer.de)
  6. ^
    Cisco
    Talos     (blog.talosintelligence.com)
  7. ^
    gained
    additional features     (securelist.com)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.