Threat Research

RokRAT Malware Using Malicious Hangul (.HWP) Documents

Ahnlab
RokRAT Malware Using Malicious Hangul (.HWP) Documents

AhnLab Security Intelligence Center (ASEC) identified a new distribution method for RokRAT malware using Hangul Word Processor (.hwp) documents containing embedded OLE objects. The attack leverages DLL side-loading via legitimate executables and a shellcode hidden in an image file to execute RokRAT and steal user information. #RokRAT #ShellRunas.exe #DLLSideLoading

Keypoints

  • RokRAT malware was recently discovered being distributed through Hangul Word Processor documents instead of traditional shortcut (LNK) files.
  • The malicious .hwp files include embedded OLE objects that automatically create and execute ShellRunas.exe in the %TEMP% directory.
  • ShellRunas.exe is a legitimate Microsoft-signed program used to load a malicious DLL (credui.dll) via DLL side-loading.
  • Multiple legitimate programs like accessenum.exe and hhc.exe were exploited similarly to load malicious DLLs.
  • The credui.dll downloads an image file (Father.jpg) from Dropbox containing shellcode that loads RokRAT into memory.
  • RokRAT can collect sensitive user information and execute commands from the threat actor.
  • Examples of malicious files include specific MD5 hashes associated with this campaign.

MITRE Techniques

  • [T1204] User Execution – The attack uses a hyperlink in the HWP document prompting the user to run ShellRunas.exe (‘a warning window is displayed asking whether to execute ShellRunas.exe’).
  • [T1105] Ingress Tool Transfer – The credui.dll downloads the Father.jpg file containing shellcode from Dropbox (‘downloads the Father.jpg file from Dropbox’).
  • [T1574.002] Hijack Execution Flow: DLL Search Order Hijacking – Malicious DLLs such as credui.dll are side-loaded by legitimate executables like ShellRunas.exe (‘malicious DLL, credui.dll, which is located in the same path, is loaded using the DLL side-loading technique’).
  • [T1059] Command and Scripting Interpreter – The embedded shellcode inside an image file is executed in memory (‘shellcode to load RokRAT into the memory at a specific location’).

Indicators of Compromise

  • [File Names] Malicious Hangul documents used for distribution – 250615_Operation status of grain store.hwp, Recent major portal site.hwpx
  • [File Names] Embedded files involved in execution – ShellRunas.exe, credui.dll
  • [File Hashes] MD5 hashes linked to malicious files – a2ee8d2aa9f79551eb5dd8f9610ad557, d5fe744b9623a0cc7f0ef6464c5530da, and 3 more hashes
  • [URLs] Download source for shellcode – Dropbox URL hosting Father.jpg image file (exact URL not provided)

Read more: https://asec.ahnlab.com/en/89130/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint