Security researchers from Malwarebytes found that state-sponsored North Korean threat actor group APT37 is using RokRAT Trojan in a new wave of cyber operations targeted against the South Korean government. APT37, also known as ScarCruft, Reaper, and Group123, has been active since at least 2012.
“On December 7, 2020, we identified a malicious document uploaded to Virus Total, which was purporting to be a meeting request likely used to target the government of South Korea. The meeting date mentioned in the document was January 23, 2020, which aligns with the document compilation time of January 27, 2020, indicating that this attack took place almost a year ago,” Malwarebytes said.
The RokRAT Trojan
According to the researchers, the malicious document (meeting invite) contains an embedded macro that uses a VBA self-decoding procedure to decode itself within the memory spaces of Microsoft Office and then embeds a variant of the RokRat into Notepad. Earlier, APT37 exploited Hangul Office documents (hwp files) to target victims in South Korea because it is the most used software in South Korea. However, this time, the attackers used an alternative method by delivering the malware via self-decoding VBA Office files.
“We can consider this technique an unpacker stub, which is executed upon opening the document. This unpacker stub unpacks the malicious macro and writes it into the memory of Microsoft Office without being written to disk. This can easily bypass several security mechanisms. Microsoft by default disables the dynamic execution of the macro, and if an attacker needs to execute one dynamically — which is the case here — the threat actor needs to bypass the VB object model (VBOM) by modifying its registry value,” Malwarebytes added.
RokRAT’s Key Traits
- Capture Screenshots
- Gathers system info (Username, Computer name, BIOS)
- Data exfiltration to cloud services
- Stealing credentials
- File and directory management
Once successfully injected, the RokRAT Trojan harvests sensitive data from the victim’s machine and sends it to threat actors via cloud services like Pcloud, Dropbox, Box, and Yandex.
Indicators of Compromise