Threat Research

LNK file (disguised as a certificate) spreading RokRAT malware.

Ahnlab

AhnLab ASEC confirmed specially crafted .LNK shortcut files are being distributed to deploy the RokRAT backdoor; the LNKs embed documents, scripts, and an encoded PE and execute a PowerShell command via CMD to run the payload. The payload runs fileless (memory allocation + CreateThread), collects system and file data, and exfiltrates it to cloud storage services (pcloud, Yandex, Dropbox) using a Googlebot User-Agent. #RokRAT #ASEC #RedEyes #pCloud #YandexDisk #DropBox

Keypoints

  • Malicious .LNK files (e.g., “National Information Academy 8th integrated course certificate (final version).lnk”, “Gate access roster 2024.lnk”) execute a PowerShell command through CMD to trigger the attack chain.
  • The LNK package contains a normal document, script code, and an encoded PE; executing the LNK generates three files in %PUBLIC%: viewer.dat (encoded RokRAT), search.dat (loader), and find.bat (starter).
  • find.bat runs search.dat via PowerShell; search.dat reads viewer.dat and executes it in-memory by allocating memory, changing protections, writing bytes, and CreateThread (fileless execution).
  • RokRAT acts as a backdoor that collects system and file information, can execute arbitrary commands, list directories, remove specific startup files, and enumerate startup/%APPDATA%/recent files.
  • Collected data is stored in %TEMP% and uploaded to cloud services (pcloud, Yandex Disk, Dropbox) via cloud APIs; requests use a Googlebot User-Agent string to blend in.
  • Attacker email addresses and multiple file hashes were recovered during analysis; ASEC detection names include Dropper/LNK.S2343, Trojan/BAT.Runner, and Data/BIN.EncPe.

MITRE Techniques

  • [T1204.002] Malicious Link – The attack uses a specially crafted .LNK shortcut to trigger execution: ‘contains a command to run Powershell through CMD’.
  • [T1059.001] PowerShell – PowerShell is used to create and execute the staged files and to run the loader: ”find.bat’… executes ‘search.dat’ through Powershell.’
  • [T1055] Process Injection – The loader executes the encoded payload in memory by allocating memory, modifying protections, and creating a remote thread: ‘…VirtualProtect($buffer, $byteCount + 0x100, 0x40, [ref]$old); …CreateThread… WriteByte…’.
  • [T1102] Web Service – Collected data is sent to attacker-controlled cloud services via cloud APIs (pcloud, Yandex, Dropbox): ‘The collected information is sent to the attacker’s cloud server using cloud services such as pcloud and yandex DropBox.’
  • [T1071.001] Application Layer Protocol: Web Protocols – Exfiltration and C2 use HTTP-based cloud APIs and spoof the client using a Googlebot User-Agent: ‘User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)’.
  • [T1083] File and Directory Discovery – The malware collects directory listings as part of data-gathering: ‘Collect directory listings’.
  • [T1082] System Information Discovery – The backdoor collects system and network information (system info, IP, router info): ‘Collect PC information (system information, IP, router information, etc.)’.

Indicators of Compromise

  • [File name] Malicious LNK examples observed – National Information Academy 8th integrated course certificate (final version).lnk, Gate access roster 2024.lnk
  • [Dropped files] Files created in %PUBLIC% by the LNK – viewer.dat (encoded RokRAT), search.dat (loader), find.bat (starter)
  • [Hashes] Sample file hashes seen during analysis – b85a6b1eb7418aa5da108bc0df824fc0, 358122718ba11b3e8bb56340dbe94f51, and 6 more hashes
  • [Cloud URLs] Cloud API endpoints used for exfiltration – https://api.pcloud.com/getfilelink?… , https://cloud-api.yandex.net/v1/disk/resources/upload?path=%s&overwrite=%s (and DropBox upload/download endpoints)
  • [Emails] Attacker contact addresses found in analysis – tanessha.samuel@gmail[.]com, tianling0315@gmail[.]com (and 2 more addresses)
  • [Detections] AV / telemetry names reported – Dropper/LNK.S2343 (2024.04.12.03), Trojan/BAT.Runner (2024.04.12.00), Data/BIN.EncPe (2024.04.12.00)

A targeted .LNK-based dropper delivers an embedded package that includes a benign-looking document, script code, and an encoded PE blob. When the shortcut is opened it runs a CMD-invoked PowerShell command that writes three artifacts to %PUBLIC%: viewer.dat (the encoded RokRAT payload), search.dat (a PowerShell loader), and find.bat (a starter batch file). find.bat triggers search.dat, which reads viewer.dat into memory and performs in-memory execution by allocating a buffer, adjusting memory protections, writing bytes, and invoking CreateThread to run the payload without writing a native EXE to disk.

Once active, RokRAT operates as a backdoor/infostealer: it enumerates directories and startup/%APPDATA%/recent lists, gathers system and network information (system details, IP, router info), can execute arbitrary commands, and deletes specified startup-related files. Collected artifacts are staged to %TEMP% and uploaded via legitimate cloud storage APIs (pcloud, Yandex Disk, Dropbox) using HTTP requests that present a Googlebot User-Agent to blend with normal traffic. Indicators recovered include the created filenames (viewer.dat, search.dat, find.bat), multiple file hashes, attacker email addresses, and ASEC detection names.

Detection and analysis notes: defenders should monitor for unusually large or malformed .LNK files, PowerShell activity that writes and executes binary blobs in %PUBLIC%/%TEMP%, memory allocation + CreateThread sequences, and outbound traffic to pcloud/Yandex/Dropbox API endpoints with a Googlebot User-Agent. Relevant telemetry and IOCs (hashes, filenames, attacker emails) should be applied to EDR, mail filtering, and cloud-access monitoring to detect or block this RokRAT distribution method.

Read more: https://asec.ahnlab.com/ko/64423

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint