A North Korean hacking team is using the RokRat Trojan in a new wave of campaigns against the South Korean government.
Remote Access Trojan (RAT) has been linked to attacks based on the exploit of a Korean language word processor used in South Korea for several years - namely the breach of Hangul Office documents (.HWP).
In the past, malware has been used in some phishing campaigns that lured their victims through some emails that contained attachments on political issues - such as Korean unification and North Korea 's human rights.
RokRat is believed to be the work of the APT37 team, also known as ScarCruft, Reaper and Group123. The group has been active since at least 2012 and is likely to be funded by state and possibly undertakes targeting entities in the ruling party of North Korea.
According to his security researcher Malwarebytes, Hossein Jazi, while previous campaigns have focused on exploiting .HWP files, a new sample phishing document attributed to APT37 reveals another tactic.
In a post released this week, the cyber security company described the discovery of a new malicious document uploaded to Virus Total on December 7th. The file claims that it is a request for a meeting in early 2020, which suggests that others have taken place attacks during the last year.
Malwarebytes says the contents of the file also indicate that it was used to target the South Korean government.
The document does not follow the traditional APT37 .HWP path. Instead, a built-in macro uses a VBA self-decoding technique to decode in its memory Microsoft Office. This means that the malware does not he needs be written to disk, possibly in an attempt to locate it.
Once Microsoft Office is compromised, an unpacker stub incorporates a variant of RokRat into Notepad software. According to Malwarebytes, this technique allows "many security mechanisms" to be bypassed with a little effort.
To bypass Microsoft Security, which prevents macro execution, intruders must first bypass the VB object model (VBOM) by modifying the registry values.
The malicious macro will check to see if the VBOM can be accessed and will try to set the VBOM registry key to one if it needs to bypassed. Depending on its results control, as if the VBOM setting has already been bypassed, the contents of the macro can do various things ενέργειες.
Once deployed on a vulnerable machine, RokRat will focus on collecting data from the system before sending it to intruder-controlled accounts to services such as Pcloud. dropbox, Box and Yandex. Malware can steal files and credentials, take screenshots, and compromise file directories.
Source of information: zdnet.com