A new variant of the RoKRAT malware used by the APT37 group has been identified, employing encrypted shellcode injection and steganography to evade detection. The malware abuses cloud services like Dropbox for C2 communication and uses fileless attacks, highlighting the need for advanced EDR monitoring. #RoKRAT #APT37 #Dropbox #Steganography
Keypoints
- APT37 group is distributing a new RoKRAT malware variant using large shortcut (.lnk) files embedding shellcode and commands.
- The malware uses a two-stage XOR encrypted shellcode injection method targeting processes like mspaint.exe and notepad.exe.
- Steganography is leveraged by embedding RoKRAT payloads within JPEG image files loaded from cloud storage, such as Dropbox.
- RoKRAT communicates with command and control servers through legitimate cloud APIs including Dropbox, pCloud, and Yandex.
- Multiple Dropbox API access tokens used by RoKRAT have been identified and revoked, and some threat actor account information was linked to Yandex email addresses.
- The malware operates with a fileless approach, executing code in memory to avoid traditional endpoint security detection.
- Endpoint Detection and Response (EDR) solutions provide critical visibility into attack behavior and enable timely detection and response to RoKRAT infections.
MITRE Techniques
- [T1204 ] User Execution – RoKRAT initiates infection through malicious shortcut files containing embedded commands executed by unsuspecting users (‘embedding Cmd or PowerShell commands within .lnk files’).
- [T1059 ] Command and Scripting Interpreter – PowerShell scripts and batch files are used to decode and execute shellcode (‘ttf03.bat triggers a sequence of PowerShell commands’).
- [T1055 ] Process Injection – Shellcode is injected into processes like mspaint.exe or notepad.exe to carry out code execution (‘The ‘InjectShellcode’ module creates a process for ‘mspaint.exe’ and performs shellcode injection’).
- [T1566 ] Phishing – Malicious shortcut files are delivered via compressed archives through email or instant messaging platforms (‘shortcut file found inside a compressed archive received via email or instant messaging platforms’).
- [T1027 ] Obfuscated Files or Information – Multiple XOR operations and steganography techniques are used to hide malicious code within image files (‘XOR operation on image resource data using the key 0xAA…second XOR operation with key 0x29’).
- [T1090 ] Proxy – Use of Cloud Storage Services for C2 – RoKRAT uses cloud services such as Dropbox and Yandex to communicate with its command and control infrastructure (‘abuse free cloud storage services as C2 channels like Dropbox, Yandex’).
- [T1086 ] PowerShell – PowerShell commands execute the decoding and loading of payload components (‘PowerShell command (ttf02.dat) executes XOR decoding and shellcode loading’).
Indicators of Compromise
- [File Hashes] Malicious samples related to RoKRAT variants – a2ee8d2aa9f79551eb5dd8f9610ad557, ae7e18a62abb7f93b657276dcae985b9, and 9 more hashes.
- [File Names] Malicious shortcut and DLL files – “국가정보와 방첩 원고.lnk”, “북한이탈주민의 성공적인 남한정착을 위한 아카데미 운영.lnk”, “mpr.dll”, “version1.0.tmp”.
- [Cloud API Tokens] Dropbox Access Tokens used for C2 communication – hFkFeKn8jJIAAAAAAAAAAZr14zutJmQzoOx-g5k9SV9vy7phb9QiNCIEO7SAp1Ch, gYQs1sJ0etEAAAAAAAAAAUsEYLCFpEUR38u0SxDzsfL2F8ZCLokJPGpPsq4OTNUX, and 2 more tokens.
- [Email Addresses] Threat actor related cloud service accounts – [email protected], [email protected], [email protected], [email protected].
Read more: https://www.genians.co.kr/en/blog/threat_intelligence/rokrat_shellcode_steganographic