Threat Research

Chain Reaction: ROKRAT’s Missing Link – Check Point Research

Securonix

Checkpoint Research tracks how ROKRAT’s deployment has evolved into LNK-based, multi-stage infection chains that bypass macro restrictions, showing a shift from documents with macros to oversized LNK loaders. The campaigns target South Korean affairs, link to related tools like GOLDBACKDOOR and Amadey, and span Windows, macOS (CloudMensis), and Android (RambleOn) deployments. #ROKRAT #GOLDBACKDOOR #Amadey #APT37 #NorthKorea

Keypoints

  • CPR tracks the evolution of ROKRAT and its delivery methods, highlighting multi-stage LNK-based infection chains.
  • ROKRAT’s loader shifted from macro-laden documents to large LNK files disguised as legitimate content to bypass macro blocks.
  • Infections predominantly lure South Korean audiences with Korean-language content about domestic and foreign affairs.
  • Campaigns tie into other actor tools, notably GOLDBACKDOOR and the commodity malware Amadey.
  • ROKRAT has cross-platform presence (Windows, macOS CloudMensis, Android RambleOn), illustrating ongoing development across ecosystems.
  • The report details multiple infection chains (e.g., July 2022 National Assembly lures, January 2023 Libya projects, April 2023 diplomacy topics) and the decoy document strategy.

MITRE Techniques

  • [T1059.001] PowerShell – The LNK chain triggers PowerShell to extract, drop, and execute payloads. Quote: “…The PowerShell extracts a document file from the LNK, drops it to the disk, and then opens it.”
  • [T1105] Ingress Tool Transfer – The chain downloads payloads from cloud storage (OneDrive) as part of the infection flow. Quote: “…downloads a payload from OneDrive, decodes it by taking the first byte of the payload as a key, and XORs it with the remainder of the payload.”
  • [T1055] Process Injection – Payload is reflectively injected into PowerShell, causing it to run as a new thread. Quote: “…reflectively injected into PowerShell, causing it to run as a new thread.”
  • [T1027] Obfuscated/Compressed Files and Information – ROKRAT uses encrypted strings to hinder static analysis. Quote: “…uses encrypted strings to prevent some of the techniques used from being visible to static analysis.”
  • [T1567.002] Exfiltration to Cloud Storage – Victim data is uploaded to cloud storage with layered encryption (XOR, AES-CBC, RSA). Quote: “…ROKRAT uploads a file to the server that contains the following information about the victim machine: … The data is XORed with a random four-byte key. The data is then encrypted with AES-CBC. Finally, the AES key is encrypted with a hardcoded RSA public key…”
  • [T1071.001] Web Protocols / Cloud C2 – C2 communications rely on cloud infrastructure (DropBox, pCloud, Yandex Cloud, OneDrive). Quote: “…the threat actor relies on cloud infrastructure for C&C functions, including DropBox, pCloud, Yandex Cloud, and OneDrive.”
  • [T1113] Screen Capture – Data collection includes screenshots of the infected machine. Quote: “…and grabs a screenshot of the machine.”
  • [T1082] System Information Discovery – ROKRAT collects machine data (username, VM tools, BIOS, SMBIOS, etc.). Quote: “CollectMachineData collects various information about the infected machine.”
  • [T1562.001] Impair Defenses – KillCertainProcessesThread terminates processes linked to security tools (e.g., Hancom Office components). Quote: “…This thread kills two processes, gbB.exe and gswin32c.exe, which are responsible for parsing postscript data in Hancom Office.”
  • [T1059.005] Visual Basic / Macro-like scripting (VBA) – Malicious macros exploited in Word documents to inject and run shellcode in memory (memory-only execution). Quote: “…The macro decodes a new VBA script, writes it to a new module in the macro, and then executes it. This is done without dropping any of the code to the disk.”

Indicators of Compromise

  • [File Hashes] context – (0722)상임위원회 및 상설특별위원회 위원 명단(최종).zip: 1c5b9409243bfb81a5924881cc05f63a301a3a7ce214830c7a83aeb2485cc5c3, (0722)상임위원회 및 상설특별위원회 위원 명단(최종).lnk: cb4c7037c7620e4ce3f8f43161b0ec67018c09e71ae4cea3018104153fbed286, and 2 more hashes
  • [File Hashes] context – 202207221.bat: 240e7bd805bd7f2d17217dd4cebc03ac37ee60b7fb1264655cfd087749db647a
  • [File Hashes] context – 사례비_지급의뢰서.doc: 12ecabf01508c40cfea1ebc3958214751acfb1cd79a5bf2a4b42ebf172d7381b
  • [File Hashes] context – projects in Libya.zip: 00d88009fa50bfab849593291cce20f8b2f2e2cf2428d9728e06c69fced55ed5, Pipelines Profile (Elfeel- Sharara-Mellitah).lnk: 6753933cd54e4eba497c48d63c7418a8946b4b6c44170105d489d29f1fe11494, and 2 more hashes
  • [File Hashes] context – securityMail (1).zip: eb03f8b8e41b3ad27ccdecb092111e2c3c010436ad59add42755e2af04762b67, securityMail_1031.html.lnk: 050c65d45e5f21018aa940f0188c4aa1318ac3df865d901f8643ed7ce4a4b52c, and 2 more hashes
  • [Domains] context – link.b4a.app, docx1.b4a.app, and 2 more domains
  • [URLs] context – https://api onedrive content/…root/content and four additional OneDrive and file-sharing URLs (e.g., …root/content).

Read more

  • [URLs] context – hxxps[://]api[.]onedrive[.]com/v1[.]0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBaFFNUDZlZzhhUkZiN0xVMUNPQ2YzeE5vVFU_ZT1wZ2liaUM/root/content
  • [URLs] context – hxxps[://]api[.]onedrive[.]com/v1[.]0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBdTJteTF4aDZ0OFhkSUpseW14b21abFd2WW8_ZT15SjJTSkk/root/content
  • [Domains] context – naver-file[.]com, link[.]b4a[.]app, docx1[.]b4a[.]app
  • Read more: https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/

Read more: https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint