Scarcruft, a persistent threat actor, has been actively targeting various entities since 2016. As initially focused on South Korea, their operations have expanded to include Japan, Vietnam, Russia, Nepal, and the Middle East.
The group employs a range of tactics, techniques, and procedures (TTPs) to compromise their targets, including phishing, spearphishing, watering hole attacks, and exploitation of vulnerabilities.
Once they gain initial access, they leverage various tools and techniques to maintain persistence, escalate privileges, and deploy additional payloads, as their primary objectives include espionage, data theft, and disruption of critical infrastructure.
The Scarcruft group employs the ROKRAT malware, a versatile Remote Access Trojan (RAT) targeting Windows, macOS, and Android systems, by leveraging legitimate cloud services like pCloud and Yandex for stealthy Command-and-Control (C&C) operations.
In order to authenticate itself with these cloud services and obtain encrypted commands, the malware makes use of OAuth tokens that are embedded within its code.
Once decrypted, these commands are executed on the infected device. Simultaneously, ROKRAT exfiltrates sensitive data from the compromised system and uploads it to the designated cloud storage.
One of the primary methods that ROKRAT malware uses to gain initial system access is through the use of spear-phishing emails that contain malicious attachments.
Since July 2022, two primary initial-stage malware types have been observed in the ROKRAT infection chain: DROKLINK and DROKDOC, which facilitate the subsequent infiltration of the target system by the full-fledged ROKRAT malware.
ROKRAT malware is distributed through two primary methods: DROKLINK and DROKDOC, where DROKLINK facilitates the spread of ROKRAT by exploiting vulnerabilities in systems, while DROKDOC leverages malicious macros embedded in document files.
Once successfully executed, both methods enable ROKRAT to infiltrate systems and execute malicious activities, potentially leading to data theft, system compromise, and other harmful consequences.
Scarcruft, a persistent threat actor, has been actively targeting various platforms, as in 2017, they employed watering hole attacks and social engineering tactics to disseminate mobile versions of ROKRAT malware, primarily targeting human rights groups and journalists.
More recently, in 2022, they expanded their operations to macOS, introducing the CloudMensis malware, which is a macOS variant of ROKRAT and is capable of data exfiltration, screen capturing, and remote command execution.
According to S2W, ROKRAT malware poses an ongoing threat due to its continuous evolution and sophisticated distribution techniques. Understanding its infection chains, functionalities, and attack methodologies is crucial for proactive defense.
It is possible for organizations to implement effective countermeasures to mitigate the risks associated with ROKRAT attacks if they evaluate these aspects and put them into practice.