North Korean state-sponsored hackers, known as APT37 or ScarCruft, have been employing sophisticated tactics to breach systems, leveraging malicious ZIP files that contain deceptive LNK files.
These files, when executed, initiate a multi-stage attack that ultimately leads to the deployment of the RokRat remote access Trojan (RAT).
This malware is designed to gather extensive system information, execute commands, and communicate with command-and-control (C2) servers via cloud services like pCloud, Yandex, and Dropbox.
Infection Flow and Technical Details
The attack begins with phishing emails containing ZIP attachments that masquerade as documents related to North Korean affairs or trade agreements.
Upon opening these ZIP files, users inadvertently execute malicious LNK files, which trigger a series of scripts and PowerShell commands.
The LNK files extract multiple payloads, including a decoy HWPX document and several data files, which are then executed in the background.
One of these payloads, a batch script named shark.bat, launches PowerShell in a hidden window to execute further malicious scripts.
According to the researchers, these scripts decrypt and load additional payloads into memory, eventually leading to the execution of the RokRat malware.
RokRat is capable of collecting detailed system information, including OS versions, computer names, and running processes.
It also captures screenshots and exfiltrates this data to C2 servers.
The malware uses cloud services’ APIs to send, download, and delete files, embedding OAuth tokens to facilitate seamless communication.
RokRat can execute a variety of commands, allowing attackers to perform data exfiltration, system reconnaissance, and process termination.
It also employs anti-analysis techniques, such as detecting virtual machines and sandbox environments, to evade detection.
Command and Control Communications
APT37’s use of legitimate cloud services as C2 channels allows RokRat to blend into normal network traffic, making it challenging to detect.
The malware encrypts data using XOR and RSA encryption before exfiltration, ensuring that only the attackers can decrypt it.
Commands from the C2 server are encrypted using AES-CBC, which RokRat decrypts locally before execution.
These commands enable a range of activities, from stopping data collection to scanning system drives and executing remote commands.
The use of cloud services and sophisticated encryption techniques underscores the advanced capabilities of APT37 in conducting cyber espionage operations.
