IBM X-Force assesses that ITG10 is targeting South Korean government, universities, think tanks, and dissidents with RokRAT delivered via LNK-based phishing. The operation uses decoy documents and multi-stage PowerShell payloads to download RokRAT from the cloud and perform C2 communications, with ties to DPRK threat activity.
#RokRAT #ITG10 #DPRK
#RokRAT #ITG10 #DPRK
Keypoints
- ITG10 is likely targeting South Korean government, universities, think tanks, and dissidents.
- Phishing emails spoof legitimate senders to deliver RokRAT via LNK files.
- Email attachments mimic legitimate documents as decoys.
- RokRAT campaigns involve multi-stage payloads and decoy documents to conceal the final payload.
- RokRAT can perform remote C2 commands, data exfiltration, file download/upload, and keylogging.
- Decoy lure documents target DPRK-related foreign policy and related personnel/organizations.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – “Phishing emails spoof legitimate senders to deliver RokRAT via LNK files.”
- [T1059.001] PowerShell – “LNK file contains a PowerShell command” and “PowerShell Commands” to download RokRAT.
- [T1027.001] Obfuscated/Compressed Files and Information – “obfuscation technique for the dropped files being hex-encoding vs. string concatenation.”
- [T1105] Ingress Tool Transfer – “downloading a second stage RokRAT shellcode” hosted on cloud storage such as OneDrive.
- [T1071.001] Web Protocols – “RokRAT can execute remote C2 commands” and “GET requests” to C2 endpoints.
- [T1059.005] Visual Basic / VBScript – “LNK files drop VBS” and related obfuscation in VBS payloads.
Indicators of Compromise
- [LNK] f92297c4efabba98befeb992a009462d1aba6f3c3a11210a7c054ff5377f0753 – LNK dropper used in RokRAT campaign
- [LNK] cb4c7037c7620e4ce3f8f43161b0ec67018c09e71ae4cea3018104153fbed286 – additional LNK sample
- [PDF Decoy] 7ef2c0d2ace70fedfe5cd919ad3959c56e7e9177dcc0ee770a4af7f84da544f1 – lure document: 2023년도 4월 29일 세미나.pdf
- [PDF Decoy] ce56b011ac4663a40f0ba606c98c08aaf7caf6a45765aa930258fe2837b12181 – lure document: 계약서내용.pdf
- [Batch File] 230415.bat – batch file dropped by LNK
- [ZIP] (0722)상임위원회 및 상설특별위원회 위원 명단(최종).zip – zipped lure document
- [ZIP] projects in Libya.zip – zipped lure document
- [HWP Decoy] 0722.hwp – decoy HWP document
- [docx] Proposed MOU GTE Korea.docx – document lure
- [JPEG] 7aa7233feb8e8a7b71ae6cdd0ddb8c2b192d4b6e131fed1ade82efdcb8096c57 – JPEG decoy
- [C2] xn--vn4b27hka971hbue.kr – C2 domain
- [C2] partybbq.co.kr – C2 domain
Read more
Read more
Read more: https://securityintelligence.com/posts/itg10-targeting-south-korean-entities/