• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

ALERT: North Korean hackers targeting South Korea with RokRat Trojan

Recommended Posts

North Korea malware attack

A North Korean hacking group has been found deploying the RokRat Trojan in a new spear-phishing campaign targeting the South Korean government.

Attributing the attack to APT37 (aka Starcruft, Ricochet Chollima, or Reaper), Malwarebytes said it identified a malicious document last December that, when opened, executes a macro in memory to install the aforementioned remote access tool (RAT).

"The file contains an embedded macro that uses a VBA self decoding technique to decode itself within the memory spaces of Microsoft Office without writing to the disk. It then embeds a variant of the RokRat into Notepad," the researchers noted in a Wednesday analysis.


Believed to be active at least since 2012, the Reaper APT is known for its focus on public and private entities primarily in South Korea, such as chemicals, electronics, manufacturing, aerospace, automotive, and healthcare entities. Since then, their victimology has expanded beyond the Korean peninsula to include Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East.

While the previous attacks leveraged malware-laced Hangul Word Processor (HWP) documents, the use of self-decoding VBA Office files to deliver RokRat suggests a change in tactics for APT37, the researchers said.


The Microsoft VBA document uploaded to VirusTotal in December purported to be a meeting request dated January 23, 2020, implying that attacks took place almost a year ago.

Chief among the responsibilities of the macro embedded in the file is to inject shellcode to a Notepad.exe process that downloads the RokRat payload in encrypted format from a Google Drive URL.

RokRat — first publicly documented by Cisco Talos in 2017 — is a RAT of choice for APT37, with the group using it for a number of campaigns since 2016. A Windows-based backdoor distributed via trojanized documents, it's capable of capturing screenshots, logging keystrokes, evading analysis with anti-virtual machine detections, and leveraging cloud storage APIs such as Box, Dropbox, and Yandex.


In 2019, the cloud service-based RAT gained additional features to steal Bluetooth device information as part of an intelligence-gathering effort directed against investment and trading companies in Vietnam and Russia and a diplomatic agency in Hong Kong.

"The case we analyzed is one of the few where they did not use HWP files as their phish documents and instead used Microsoft Office documents weaponized with a self decode macro," the researchers concluded. "That technique is a clever choice that can bypass several static detection mechanisms and hide the main intent of a malicious document."

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now