North Korean hackers launch RokRat Trojan in campaigns against the South

A VBA self decoding technique is being used to hide the malware on impacted systems.

A North Korean hacking group is utilizing the RokRat Trojan in a fresh wave of campaigns against the South Korean government.

The Remote Access Trojan (RAT) has been connected to attacks based on the exploit of a Korean language word processor commonly used in South Korea for several years; specifically, the compromise of Hangul Office documents (.HWP). 

In the past, the malware has been used in phishing campaigns that lure victims through emails containing attachments with a political theme -- such as Korean unification and North Korean human rights. 

RokRat is believed to be the handiwork of APT37, also known as ScarCruft, Reaper, and Group123. Active since 2012, at the least, the advanced persistent threat group (APT) is likely state-sponsored, and potentially tasked with targeting entities of value to the North Korean ruling party. 

According to Malwarebytes security researcher Hossein Jazi, while previous campaigns have focused on exploiting .HWP files, a new phishing document sample attributable to APT37 reveals a pivot in tactics for the group. 

In a blog post this week, the cybersecurity company described the discovery of a new malicious document uploaded to Virus Total on December 7. The sample file claims to be a request for a meeting dated in early 2020, suggesting that attacks have taken place over the past year. 

Malwarebytes says that the content of the file also indicates that it has been "used to target the government of South Korea."

The document does not follow the traditional .HWP path of APT37; instead, an embedded macro uses a VBA self decoding technique to decode itself into the memory of Microsoft Office. This means that the malware does not have to write itself to disk, potentially in a bid to avoid detection. 

Once Microsoft Office has been compromised, an unpacker stub then embeds a variant of RokRat into Notepad software. According to Malwarebytes, this technique allows the bypass of "several security mechanisms" with little effort. 

"To the best of our knowledge, this is a first for this APT group," Jazi says. 

In order to circumvent Microsoft security, which prevents the macro's dynamic execution, the attackers first need to bypass the VB object model (VBOM) by modifying registry values. 

The malicious macro will check to see if VBOM can be accessed and will attempt to set the VBOM registry key to one if it needs to be bypassed. Depending on the results of the check, such as if the VBOM setup has already been bypassed, the macro content may also be obfuscated, deobfuscated, and then executed into memory.

The main function of the payload is to create a module utilizing shellcode to compromise Notepad before calling an encrypted file hosted on Google Drive that contains RokRat.

Once deployed on a vulnerable machine, RokRat will focus on harvesting data from the system before sending it to attacker-controlled accounts with cloud-based services including Pcloud, Dropbox, Box, and Yandex. The malware is able to steal files, take screenshots, capture credentials, and tamper with file directories. 

RokRat is a malware variant that will also attempt to maintain stealth by checking for sandboxes and for the presence of VMWare, scan for debugging software, and analyzes DLLs related to Microsoft and iDefense. 

In related news this week, Trustwave researchers recently discovered a new phishing campaign that deploys QRat to Windows machines. First discovered in 2015, the Trojan features heavy levels of obfuscation and remote access capabilities. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0