A North Korean hacking team has been uncovered deploying the RokRat Trojan in a new spear-phishing marketing campaign targeting the South Korean governing administration.
Attributing the assault to APT37 (aka Starcruft, Ricochet Chollima, or Reaper), Malwarebytes said it discovered a destructive doc final December that, when opened, executes a macro in memory to set up the aforementioned distant access tool (RAT).
“The file incorporates an embedded macro that works by using a VBA self decoding approach to decode by itself in just the memory areas of Microsoft Office with out writing to the disk. It then embeds a variant of the RokRat into Notepad,” the researchers observed in a Wednesday investigation.
Believed to be active at minimum considering the fact that 2012, the Reaper APT is acknowledged for its emphasis on community and non-public entities mostly in South Korea, such as chemicals, electronics, manufacturing, aerospace, automotive, and health care entities. Considering that then, their victimization has expanded over and above the Korean peninsula to include Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other elements of the Center East.
Whilst the prior attacks leveraged malware-laced Hangul Term Processor (HWP) files, the use of self-decoding VBA Place of work information to produce RokRat indicates a modify in techniques for APT37, the researchers said.
The Microsoft VBA document uploaded to VirusTotal in December purported to be a assembly ask for dated January 23, 2020, implying that attacks took put almost a calendar year back.
Chief among the the tasks of the macro embedded in the file is to inject shellcode to a Notepad.exe course of action that downloads the RokRat payload in encrypted format from a Google Generate URL.
RokRat — initial publicly documented by Cisco Talos in 2017 — is a RAT of decision for APT37, with the team applying it for a selection of campaigns given that 2016. A Home windows-centered backdoor dispersed by using trojanized paperwork, it really is capable of capturing screenshots, logging keystrokes, evading assessment with anti-digital device detections, and leveraging cloud storage APIs this kind of as Box, Dropbox, and Yandex.
In 2019, the cloud service-centered RAT received additional features to steal Bluetooth unit information as element of an intelligence-gathering effort and hard work directed towards financial commitment and buying and selling firms in Vietnam and Russia and a diplomatic agency in Hong Kong.
“The case we analyzed is a single of the handful of exactly where they did not use HWP data files as their phish files and instead utilised Microsoft Business files weaponized with a self decode macro,” the researchers concluded. “That technique is a intelligent preference that can bypass many static detection mechanisms and disguise the main intent of a malicious document.”