APT37, also known as ScarCruft or Red Eyes, is a state-sponsored cyber espionage group originating from North Korea. The group has been active since at least 2012 and primarily targets victims in South Korea. However, it has also conducted operations against entities in other countries, including Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and various parts of the Middle East.
APT37 has been linked to several campaigns between 2016 and 2018, including Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, North Korean Human Rights, and Evil New Year 2018. These campaigns involve a range of tactics and techniques aimed at intelligence gathering, data exfiltration, and disruption. One of the tools that APT37 has been associated with is the Goldbackdoor and RokRAT.
The RedEyes threat group continues to pose a significant cybersecurity risk. Recent research confirms that this group, responsible for distributing the CHM malware disguised as a security email from a Korean financial company, has now expanded its operations to include the distribution of the RokRAT malware through LNK files.
RokRAT is a sophisticated malware capable of collecting user credentials and downloading additional malicious software onto compromised systems. In the past, this malware was primarily distributed through HWP and Word files. However, the latest discovery reveals that the RedEyes threat group has adopted a new tactic by using LNK files.
The LNK files discovered contain PowerShell commands, which enable the execution of malicious actions. By creating and executing a script file alongside a normal file in the temporary folder, the malware can carry out its malicious activities.
Although this malware has not undergone significant changes in recent years, its effectiveness lies in its utilization of various techniques. ROKRAT primarily focuses on two main objectives: running additional payloads and conducting extensive data exfiltration. To achieve its goals, the malware leverages cloud infrastructure for its command and control (C&C) functions. It makes use of reputable cloud services such as Dropbox, pCloud, Yandex Cloud, and OneDrive to communicate with the attacker’s infrastructure. This approach helps mask its malicious activities as potential legitimate cloud communications, making detection more challenging. Additionally, ROKRAT collects machine-specific information, enabling the threat actors to avoid infecting unintended targets and tailor their actions accordingly.
In terms of its code structure, ROKRAT exhibits a consistent pattern across analyzed samples. Most samples feature a straightforward WinMain function. They also contain a data collection functionality called CollectMachineData, which is executed prior to the execution of the main RAT thread (MainRATThread). The MainRATThread initializes the RAT and continuously loops, attempting to receive commands from the C&C server, parsing and executing them as necessary.
One of the initial actions performed by ROKRAT upon execution is the collection of data about the compromised machine. This data collection phase likely serves the purpose of helping the attackers identify whether the infected machine aligns with their desired targets. This information allows them to adapt their subsequent actions accordingly, ensuring they focus their efforts on high-value or specific targets.
ROKRAT employs several techniques to evade detection and hinder network analysis. It leverages in-memory execution, which means it runs entirely in memory without leaving significant traces on disk, making it harder to detect through traditional means. The malware also employs encryption techniques to obfuscate its network communication, making it challenging to analyze network traffic and establish signatures for detection.
Overall, ROKRAT stands out as a persistent and adaptable tool used by threat actors to carry out targeted attacks. Its ability to run additional payloads, conduct extensive data exfiltration, and employ various evasion techniques makes it a formidable threat to organizations and individuals alike. Robust cybersecurity measures, including up-to-date antivirus software, network monitoring, and user education, are essential to mitigate the risks associated with ROKRAT and similar sophisticated malware.