ASEC confirms ongoing distribution of oversized LNK shortcut files that drop RokRAT backdoor malware to South Korean targets with ties to North Korea. The LNKs execute PowerShell via CMD, create legitimate documents, and exfiltrate data through cloud services like pCloud, Yandex, and Dropbox. #RokRAT #ScarCruft #RedEyes #LNK #SouthKorea #NorthKorea
Keypoints
- The campaign uses abnormally large shortcut files (*.LNK) that target South Korean users and are linked to North Korean interests.
- Confirmed LNKs contain a command to execute PowerShell, and the type mirrors RokRAT distributions via LNK files (RokRAT reference).
- Three files are created in the %public% folder (viewer.dat, search.dat, find.bat), with viewer.dat encoding RokRAT and being executed via a fileless chain.
- Initial execution runs find.bat, which launches search.dat to read viewer.dat and execute RokRAT in a fileless manner.
- RokRAT uses cloud services (pCloud, Yandex, Dropbox) to transmit stolen data; the UserAgent is disguised as Googlebot in requests.
- Threat actor contact emails are identified (e.g., tanessha.samuel@gmail[.]com, tianling0315@gmail[.]com, w.sarah0808@gmail[.]com, softpower21cs@gmail[.]com).
MITRE Techniques
- [T1059.001] PowerShell – The LNK file executes PowerShell commands to create and execute a legitimate document file. Quote: “When the LNK file is executed, it runs PowerShell commands to create and execute a legitimate document file.”
- [T1059.003] Windows Command Shell – The LNK file contains a command to execute PowerShell via CMD. Quote: “The LNK file contains a command to execute PowerShell via CMD.”
- [T1027] Obfuscated/Compressed Files and Information – The data shows “Encoded RokRAT malware” inside viewer.dat. Quote: “Encoded RokRAT malware.”
- [T1055] Process Injection – The script allocates executable memory and creates a thread to run the payload. Quote: “VirtualProtect($buffer, …); … CreateThread(0, 0, $buffer, 0, 0, 0)”
- [T1567.002] Exfiltration to Cloud Storage – Collected information is transmitted to cloud services (pCloud, Yandex, DropBox). Quote: “transmitted to the threat actor’s cloud server using cloud services such as pCloud, Yandex, and DropBox.”
- [T1082] System Information Discovery – The malware collects PC information (system information, IP, router information, etc.). Quote: “Collection of PC information (system information, IP, router information, etc.)”
- [T1083] File and Directory Discovery – The malware collects directory listings and contents of Startup and APPDATA folders. Quote: “Collection of directory listings” and “Startup folder listings, %APPDATA% folder listings, and recently used file listings”
- [T1070.004] Indicator Removal on Host – File Deletion – The malware deletes specific files in the Startup folder. Quote: “Deletion of specific files (with VBS, CMD, BAT, and LNK extensions) within the Startup folder”
Indicators of Compromise
- [Hash] File Hashes – b85a6b1eb7418aa5da108bc0df824fc0, 358122718ba11b3e8bb56340dbe94f51, and 6 more hashes
- [Filename] Affected files – viewer.dat, search.dat, and 1 more (find.bat)
- [URL] Cloud exfiltration endpoints – https://api.pcloud.com/getfilelink?path=%s&forcedownload=1&skipfilename=1, https://cloud-api.yandex.net/v1/disk/resources/download?path=%s
- [Email] Threat actor emails – tanessha.samuel@gmail[.]com, tianling0315@gmail[.]com, and 2 more emails
Read more: https://asec.ahnlab.com/en/65076/