RedEyes (ScarCruft/APT37) has expanded its toolkit by distributing RokRAT via LNK files. The LNKs trigger PowerShell to create and execute payloads in the Temp folder, download encoded data from cloud storage, and deploy RokRAT to harvest credentials. Hashtags: #RokRAT #ScarCruft #APT37 #LNK #PowerShell #OneDrive
Keypoints
- The RedEyes/ScarCruft group has distributed RokRAT using LNK files, adding to prior CHM malware campaigns.
- The LNKs contain PowerShell commands that can perform malicious behavior by creating and executing a script file along with a normal file in the Temp folder. ‘The LNK files that were discovered this time contain PowerShell commands that can perform malicious behavior by creating and executing a script file along with a normal file in the temp folder.’
- The 230407Infosheet.lnk is disguised with a PDF icon and contains a malicious PowerShell command. ‘The 230407Infosheet.lnk file is disguised with a PDF icon and contains a malicious PowerShell command.’
- The LNK data includes normal PDF data plus malicious script codes and dummy bytes, used to camouflage the payload.
- The LNK reads and writes to the Temp folder, saving the payload as 230407Infosheet.pdf and 230412.bat, before executing them. ‘The LNK file is read up to 0x890F4 and is saved and executed with the filename “230407Infosheet.pdf” in the Temp folder while excluding the first 0x9AA…’”, “Then reads up to 0x89D9A and saves/exects 230412.bat in Temp.’
- RokRAT is decoded, injected into PowerShell, and used to collect credentials and download additional malware, with exfiltration to cloud storage. ‘The injected data is the RokRAT malware that is capable of collecting user credentials and downloading additional malware.’
- The final PowerShell command downloads encoded data from OneDrive shares, decodes it, and injects it into the PowerShell process to perform malicious behavior. ‘decodes it, and injects it into the PowerShell process to perform malicious behavior.’
- The attack exfiltrates data to cloud services (pcloud, Yandex) with a Googlebot-like UserAgent to disguise traffic. ‘The collected information is sent to the threat actor’s cloud server using cloud services such as pcloud and yandex. The UserAgent in the request header is disguised as Googlebot.’
MITRE Techniques
- [T1023] Shortcut Modification – The LNK file is disguised with a PDF icon and contains a malicious PowerShell command. ‘The 230407Infosheet.lnk file is disguised with a PDF icon and contains a malicious PowerShell command.’
- [T1059.003] Windows Command Shell – The PowerShell command is executed through cmd.exe: ‘/c powershell -windowstyle hidden’.
- [T1059.001] PowerShell – The LNK contains a PowerShell command used to run payloads. ‘The LNK files that were discovered this time contain PowerShell commands that can perform malicious behavior…’
- [T1105] Ingress Tool Transfer – The LNK-driven process downloads encoded data from OneDrive. ‘downloads the encoded data from hxxps://api.onedrive.com/v1.0/shares/…’
- [T1055] Process Injection – The payload is decoded and injected into the PowerShell process to execute. ‘injects it into the PowerShell process to perform malicious behavior.’
- [T1027] Obfuscated/Compressed Files and Information – The payload uses HEX-encoded data that is decoded and executed. ‘malicious commands which exist as HEX values.’
- [T1567.002] Exfiltration to Cloud Storage – Collected data is exfiltrated to cloud services (pcloud, Yandex). ‘The collected information is sent to the threat actor’s cloud server using cloud services such as pcloud and yandex.’
Indicators of Compromise
- [Hash] LNK files – 0f5eeb23d701a2b342fc15aa90d97ae0, aa8ba9a029fa98b868be66b7d46e927b, 657fd7317ccde5a0e0c182a626951a9f, be32725e676d49eaa11ff51c61f18907
- [Hash] BAT files – 8fef5eb77e0a9ef2f97591d4d150a363, 461ce7d6c6062d1ae33895d1f44d98fb
- [URL] Cloud storage endpoints – hxxps://api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL2kvcyFBaFhFWExKU05NUFRiZnpnVU14TmJJbkM2Q0k_ZT1WZElLSjE/root/content, hxxps://api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBdTJteTF4aDZ0OFhnUjJNem1zOG5oUndvLTZCP2U9akhIQzZ5/root/content
- [Filename] LNK filenames – 230407Infosheet.lnk, April 29th 2023 Seminar.lnk, 2023 Personal Evaluation.hwp.lnk, NK Diplomat Dispatch Selection and Diplomatic Offices.lnk, NK Diplomacy Policy Decision Process.lnk
Read more: https://asec.ahnlab.com/en/51751/