Rewterz Threat Alert – APT37 Aka StarCruft or RedEyes – Active IOCs

Severity

High

Analysis Summary

APT37, also known as ScarCruft or Red Eyes, is a state-sponsored cyber espionage group originating from North Korea. The group has been active since at least 2012 and primarily targets victims in South Korea. However, it has also conducted operations against entities in other countries, including Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and various parts of the Middle East.

APT37 has been linked to several campaigns between 2016 and 2018, including Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, North Korean Human Rights, and Evil New Year 2018. These campaigns involve a range of tactics and techniques aimed at intelligence gathering, data exfiltration, and disruption. One of the tools that APT37 has been associated with is the Goldbackdoor and RokRAT. 

The RedEyes threat group continues to pose a significant cybersecurity risk. Recent research confirms that this group, responsible for distributing the CHM malware disguised as a security email from a Korean financial company, has now expanded its operations to include the distribution of the RokRAT malware through LNK files.

RokRAT is a sophisticated malware capable of collecting user credentials and downloading additional malicious software onto compromised systems. In the past, this malware was primarily distributed through HWP and Word files. However, the latest discovery reveals that the RedEyes threat group has adopted a new tactic by using LNK files.

The LNK files discovered contain PowerShell commands, which enable the execution of malicious actions. By creating and executing a script file alongside a normal file in the temporary folder, the malware can carry out its malicious activities. 

Although this malware has not undergone significant changes in recent years, its effectiveness lies in its utilization of various techniques. ROKRAT primarily focuses on two main objectives: running additional payloads and conducting extensive data exfiltration. To achieve its goals, the malware leverages cloud infrastructure for its command and control (C&C) functions. It makes use of reputable cloud services such as Dropbox, pCloud, Yandex Cloud, and OneDrive to communicate with the attacker’s infrastructure. This approach helps mask its malicious activities as potential legitimate cloud communications, making detection more challenging. Additionally, ROKRAT collects machine-specific information, enabling the threat actors to avoid infecting unintended targets and tailor their actions accordingly.

In terms of its code structure, ROKRAT exhibits a consistent pattern across analyzed samples. Most samples feature a straightforward WinMain function. They also contain a data collection functionality called CollectMachineData, which is executed prior to the execution of the main RAT thread (MainRATThread). The MainRATThread initializes the RAT and continuously loops, attempting to receive commands from the C&C server, parsing and executing them as necessary.

One of the initial actions performed by ROKRAT upon execution is the collection of data about the compromised machine. This data collection phase likely serves the purpose of helping the attackers identify whether the infected machine aligns with their desired targets. This information allows them to adapt their subsequent actions accordingly, ensuring they focus their efforts on high-value or specific targets.

ROKRAT employs several techniques to evade detection and hinder network analysis. It leverages in-memory execution, which means it runs entirely in memory without leaving significant traces on disk, making it harder to detect through traditional means. The malware also employs encryption techniques to obfuscate its network communication, making it challenging to analyze network traffic and establish signatures for detection.

Overall, ROKRAT stands out as a persistent and adaptable tool used by threat actors to carry out targeted attacks. Its ability to run additional payloads, conduct extensive data exfiltration, and employ various evasion techniques makes it a formidable threat to organizations and individuals alike. Robust cybersecurity measures, including up-to-date antivirus software, network monitoring, and user education, are essential to mitigate the risks associated with ROKRAT and similar sophisticated malware.

Impact

• Information Theft and Espionage

Indicators of Compromise

MD5

• 9b4476ffe7e72188015aa161f4400944
• 9fe0552634db234c6f5e396d51c7fd6f
• 103d4dd7479f7b1a2f3cab2657432535
• dbb3ff5a5738c0443b48d9aa055d6950
• c6e567d2d7763682a98ac9267bb9dd73
• 471b83a6714d8b69bc9e5c84408013ca

SHA-256

• 405846e41b23c6f50178863e9bb73e9a2e9b0b8e5e90c9cacac8deed50acf992
• 57e92740621cd35331b8004d387e8d259aa4a3a79455c78d99ab962afad1f4a1
• d5f3f378ac7ed6de8a1b8babd0b07a4bae980c0926a2ca2ba4686955315bfbbb
• 40dc68ae77f76e89c5146b75d9c88bb7d6ee8143e83b54de814536de120d6a11
• 4077ec68cbe9d5323391b326411e109522aaa5f921769ecc4197a259adfed4c5
• 88c6d8a982c6d06aa1d6ee1750ffbc34ce7f8b60b72a21ba66112b21b6c2e97b

SHA-1

• 33d12f24e2c2d5fcbb1f258072cffc0929910466
• 9aaba56f9f1b44df858a8e809a8552b1d113dcb1
• 3f070600db88f896e7c014655d3dd6c32407dc0b
• 683d7adaf1ab0d2e3e606542e667a2c967b02457
• db221cc80b528810e8da64bf4ead4e3db560fa36
• 604dfc8faa431c1673c0e7f8499efb752fc43f41

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.