A new variant of the RoKRAT malware used by the APT37 group employs encrypted shellcode and steganography to evade detection and persist through fileless attacks. The report emphasizes the critical need for effective EDR systems to detect abnormal endpoint behaviors and manage such sophisticated threats. #RoKRAT #APT37 #Steganography
Keypoints
- Identification of a new RoKRAT malware variant deploying encrypted shellcode to impede analysis.
- Use of steganography to hide malware within image files, facilitating covert operations.
- Execution of continuous fileless attacks to bypass traditional security defenses.
- RoKRAT leverages cloud services like Dropbox for command and control (C2) communication.
- Malware distributed via malicious LNK shortcut files embedding PowerShell and batch commands.
- Adversaries attempt indicator removal by deleting files after execution to evade detection.
- Advocates for deployment of efficient EDR systems to monitor and detect abnormal endpoint activities.
MITRE Techniques
- [T1071.001] Application Layer Protocol: Web Protocols – RoKRAT uses cloud services like Dropbox for C2 communication (‘RoKRAT uses cloud services like Dropbox for C2 communication’).
- [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell commands are executed through the malware (‘PowerShell commands are executed through the malware’).
- [T1203] Exploitation for Client Execution – Malware is distributed via malicious LNK files (‘Malware is distributed via malicious LNK files’).
- [T1070.001] Indicator Removal on Host: File Deletion – Attempts to delete indicators of compromise after execution (‘Attempts to delete indicators of compromise after execution’).
Indicators of Compromise
- [File Hash] Malicious RoKRAT samples identified – a2ee8d2aa9f79551eb5dd8f9610ad557, ae7e18a62abb7f93b657276dcae985b9, and multiple others including d5fe744b9623a0cc7f0ef6464c5530da, f6d72abf9ca654a20bbaf23ea1c10a55.
Read more: https://www.genians.co.kr/blog/threat_intelligence/rokrat_shellcode_steganographic