The North Korean threat actor known as APT37 has been observed changing deployment methods and using South Korean foreign and domestic affairs-themed lures with archives containing Windows shortcut (LNK) files that initiate ROKRAT malware infection chains.
ROKRAT Malware
ScarCruft, also known as APT37, InkySquid, Nickel Foxcroft, Reaper, RedEyes and Ricochet Chollima, is a hacking group that almost exclusively targets South Korean individuals and entities in spear-phishing attacks designed to deliver a range of custom tools.
Technically, ROKRAT mainly focuses on running additional payloads designed for data exfiltration. RokRAT and its variants are equipped to perform a wide range of activities, including stealing credentials, leaking data, capturing screenshots, collecting system information, executing commands and shellcode, and managing files and directories.
Further, the advisory clarifies that there are reasons behind ROKRAT being mostly unchanged in the last few years.
The information collected, some of which is saved as MP3 files to cover their tracks, is sent back using services cloud such as Dropbox, Microsoft OneDrive, pCloud and Yandex Cloud in an attempt to disguise command and control (C2) communications as legitimate.
IOCs ROKRAT Malware
File Hashes
| File Name | SHA-256 |
|---|---|
| (0722)상임위원회 및 상설특별위원회 위원 명단(최종).zip | 1c5b9409243bfb81a5924881cc05f63a301a3a7ce214830c7a83aeb2485cc5c3 |
| (0722)상임위원회 및 상설특별위원회 위원 명단(최종).lnk | cb4c7037c7620e4ce3f8f43161b0ec67018c09e71ae4cea3018104153fbed286 |
| 202207221.bat | 240e7bd805bd7f2d17217dd4cebc03ac37ee60b7fb1264655cfd087749db647a |
| 사례비_지급의뢰서.doc | 12ecabf01508c40cfea1ebc3958214751acfb1cd79a5bf2a4b42ebf172d7381b |
| projects in Libya.zip | 00d88009fa50bfab849593291cce20f8b2f2e2cf2428d9728e06c69fced55ed5 |
| Pipelines Profile (Elfeel- Sharara-Mellitah + Wafa – Mellitah).lnk | 6753933cd54e4eba497c48d63c7418a8946b4b6c44170105d489d29f1fe11494 |
| 230130.bat | 732fca9be66ba2c40c5d05845540207b9e1480e609d767aff63895bf49d33a81 |
| securityMail (1).zip | eb03f8b8e41b3ad27ccdecb092111e2c3c010436ad59add42755e2af04762b67 |
| securityMail_1031.html.lnk | 050c65d45e5f21018aa940f0188c4aa1318ac3df865d901f8643ed7ce4a4b52c |
| securityMail_1101.html.lnk | 5a3f1d14b9cc4890db64fbc41818d7039f25b0120574dcdec4e20d13e6b2740c |
| 27868.bat | c4029a2f1d0c07ae2b388b5a4076fba41e57af0dd0d2d0f86844464f22d63861 |
| 11702.zip 17399.zip | 9a4c61cdf0e291dc364c568aa161f744f59065efeafc72a3f892e12cbf88fc5b |
| mfc100.dll | 0e926d8b6fbf6f14a2a19d4d4af843253f9f5f6de337956a12dde279f3321d78 |
| – (ISO file) | 6234ef67435dfcb65bd661b5f3bb0b77b82fe6cdd2109b6dfb9dea1b65a17d5d |
| 북 외교관 선발파견 및 해외공관.lnk | 479894be4c5dec0992ad3c5b21fb1423643996d80d59dcca76386bb325dc811e |
| 북한외교정책결정과정.lnk | c5c05f9df89fc803884fed2bd20a3824eae95eeb34a1827bf5210e4ac17beadd |
| 230401.bat 230402.bat | 70f9216f0c5badb24120f74270dbbc5100b07c4fc6eb45f6652b00882290a73c |
| 질문지.doc | 3252345b2640efc44cdd98667dbd25806ee2316d1e01eec488fd678e885aa960 |
| – (LNK file) | 1e0b5d6b85fca648061fdaf2830c5a90248519e81e78122467c29beeb78daa1e |
| – (LNK file) | f92297c4efabba98befeb992a009462d1aba6f3c3a11210a7c054ff5377f0753 |
| 230415.bat | 06431a5d8f6262cc3db39d911a920f793fa6c648be94daf789c11cc5514d0c3d |
URLs
- hxxps[://]api[.]onedrive[.]com/v1[.]0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBaFFNUDZlZzhhUkZiN0xVMUNPQ2YzeE5vVFU_ZT1wZ2liaUM/root/content
- hxxps[://]api[.]onedrive[.]com/v1[.]0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBdTJteTF4aDZ0OFhkSUpseW14b21abFd2WW8_ZT15SjJTSkk/root/content
- hxxps[://]api[.]onedrive[.]com/v1[.]0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBdTJteTF4aDZ0OFhnUjJNem1zOG5oUndvLTZCP2U9akhIQzZ5/root/content
- hxxps[://]api[.]onedrive[.]com/v1[.]0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBalFOTHZFRV9DVU9iUFdnLXhPZG8xRXFYckU_ZT1BM1QwV2Q/root/content
- hxxps[://]api[.]onedrive[.]com/v1[.]0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL2kvcyFBaFhFWExKU05NUFRiZnpnVU14TmJJbkM2Q0k_ZT1WZElLSjE/root/content
- hxxps[://]1erluw[.]bl[.]files[.]1drv[.]com/y4mjq91jEOFfIt8XWokhkvDA3nd2tPKC9x6YXe5KPoia1IoxaHAT0f4N[…]8IqzILVZkrM48fYGI1jkeYjBkceuEgARw-IRenUX4NuenWy_g/my[.]jpg
- hxxps[://]u9izog[.]dm[.]files[.]1drv[.]com/y4mKSGc6jShxeCkGYNOnZdeG42N9DXsT4dFh5t6umtqb8bI9VePGNlZG7GP_-K9ly6IW0xeiUqMR8o6Sk9pGqnPraGVk-PxQce9pcUKcGPoKvXYaPqoiBNLDb3KK94OjeEV0RiejfEGjZ1ccTQqeWZZ0_DnN4T5NGFZRCkc4ZvlJERfXrb5JgWm1U3gC4leSiTrTtV12NtA3UrdgsHv46eCoQ/AutumnPark
- hxxps[://]qb3oaq[.]bl[.]files[.]1drv[.]com/y4mHRkXCvSNkEazYL8KsgjxXW3y4EfgcyTsS_t5Wi6fefz383ova6apylWD0q0dsmeV2UbuXHYDd_IbfVazPybUB72j-fJ8cPvgLhX1dYRSVWpxXnpKq1GiHngnCioOASAeaS33ztlC74MpGEWsDuNksijGCqmtnIelhg-FBefDcwLwqsbCH01dRolRMhazBj1ZxYizw_CyFwdRbApbmUCNOQ/dragon32[.]zip
- hxxps[://]link[.]b4a[.]app/download[.]html?search=cHJvamVjdHMgaW4gTGlieWEuemlw
- hxxps[://]docx1[.]b4a[.]app/download[.]html?id=88&search=tuh3m0xez3npqzr4terfd2zhsnzasgt1zedgawjhvxflazkwyudwewzieglimli1tg5safltegw=
- hxxps[://]naver-file[.]com/download/list[.]php?q=e1&18467=41
Domains
- link[.]b4a[.]app
- docx1[.]b4a[.]app
- naver-file[.]com
- nate-download[.]com
- daum-store[.]com
- naver-storage[.]com
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment