The APT37 group ScarCruft adopts a new infection chain technique by using LNK files to deliver their malware, RokRAT.
The APT37 also known as Inky Squid, RedEyes, Reaper or ScarCruft is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group primarily targets victims in its neighboring country South Korea but also targets victims in nearby international countries such as Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. The group utilizes many tools in their campaigns, and they feature custom-written malware such as their updated RokRAT, the recently reported M2RAT, Konni RAT, Chinotto, and GOLDBACKDOOR, along with a commodity malware Amadey.
RokRAT is a Remote Access Trojan that was first discovered in April 2017, designed to target government sectors in South Korea as well as journalists, activists, and North Korean defectors. The first campaigns involving RokRAT started with spear phishing emails containing a malicious Hangul Word Processor (HWP) document embedded with an Encapsulated PostScript (EPS) object. The EPS is used to exploit a well-known vulnerability (CVE-2013-0808) to download a binary disguised as a .jpg file. The RokRat malware is then extracted from the .jpg file and executed. The RokRAT is notorious for using the legitimate online services Twitter, Yandex and Mediafire for its C2 and exfiltration communications where it allows the malware to disguise its C2 traffic as legit traffic and makes it harder to detect.
As of July 2022, researchers saw the RokRAT infection chain transition to the use of LNK files disguised as legitimate documents to infect victims. This transition was seen during the same month Microsoft began blocking macros in Office applications by default to minimize the spread of malware using malicious macros. The LNK and decoy documents used were being updated regularly and as of April 2023, two LNK disguised as PDFs were used, namely 2023 nyeondo 4 wol 29 il semina.pdf and April 29, 2023 Seminar.pdf. These decoy PDF files detail a seminar that will allegedly occur on April 29, 2023, at the Korean Association for Public Administration, and include a Zoom link and itinerary.
Clicking on the LNK file triggers the infection chain. A PowerShell is executed that extracts the decoy document (10MB in size) and a BAT script (~50MB in size) onto the disk. The decoy document is opened to trick the user that a normal PDF or HWP file was opened. However, the script file is executed in the background, which spawns another PowerShell instance that downloads a payload from the OneDrive link (hxxps://api.onedrive[.]com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL2kvcyFBaFhFWExKU05NUFRiZnpnVU14TmJJbkM2Q0k_ZT1WZElLSjE/root/content). The shellcode then takes the first byte of the payload as a key and performs the XOR operation on the payload. This part pf the decrypted payload is then injected into PowerShell, causing it to run a new thread. The shellcode finally decodes the RokRAT portion of the payload with a four-byte XOR key and executes it.
When executed, one of the first functions called is designed to collect data about the infected machine. This is likely for the attacker to determine if they have a desired target of interest. The following information is collected:
Hardcoded value 0xBAADFEDE Used later in the C&C communication
Any screenshot image the malware saves to the following path: %TEMP%<16 hex digits>.tmp
XOR keys Used for decrypting commands and payloads from the C2 servers
Generated filenames Used later for downloading and executing payloads in certain commands
Machine Type Obtained by querying SMBiosData registry value under HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesmssmbiosData
VMware tools version data
System BIOS version
RokRAT would label the collected data as MP3 files to hide its tracks. Any sensitive information that is gathered by the RAT is encrypted with the retrieved 0xBAADFEDE key and then encrypted with Advanced Encryption Standard – Cypher-block chaining (AES-CBC). The exfiltrated data is then transmitted over its C2 servers (which are legitimate cloud providers). Researchers found that the RokRAT configuration contains an ID number that represents the cloud provider in use and the API token to use it. The malware also has a test mode that allows communication with the local machine. These ID numbers are:
1 Local machine (no cloud)
Indicators of Compromise
For a list of IOCs regarding file hashes, URLs and domains related to RokRAT, please see the link below:
To protect yourself against RAT attacks, in this case RokRAT that relies on phishing emails, we recommend being wary of suspicious emails and any attachments embedded. In this case, the attackers use a malicious LNK file disguised as a PDF document to initiate the infection, so it is always recommended to scan email attachments and disregard any attachments that seem suspicious.
If you are infected by a RAT, we recommend the following:
Upon infection discovery, immediately disconnect the infected device from the network to prevent any malicious activities from occurring.
Launch the device in safe mode and have a reputable anti-virus installed.
Perform a full scan on the device and remove any threats detected.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: RokRAT malware deployed via LNK file infection.pdf
Lakshmanan, R. (2023, May 2). North Korea”s ScarCruft Deploys RokRAT Malware via LNK File Infection Chains. Retrieved from The Hacker News. https://thehackernews.com/2023/05/north-koreas-scarcruft-deploys-rokrat.html
Check Point Research. (2023, May 1). Chain Reaction: ROKRATs Missing Link. Retrieved from Check Point. https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/#single-post
Rascagneres, P. (2017, April 3). Introducing ROKRAT. Retrieved from Talos. https://blog.talosintelligence.com/introducing-rokrat/