In a recent analysis, cybersecurity experts have provided detailed insights into the RokRAT remote access trojan, utilized by ScarCruft, a state-sponsored threat actor associated with North Korea.
RokRAT is an advanced RAT that plays a crucial role in the attacker’s overall strategy, granting unauthorized entry, extracting sensitive data, and potentially establishing persistent control over compromised systems.
ScarCruft, an espionage group with a track record dating back to 2012, conducts cyber operations on behalf of the North Korean government, specifically focusing on targets in South Korea.
ScarCruft, suspected to operate under the North Korean Ministry of State Security (MSS), employs sophisticated attack strategies that heavily rely on social engineering techniques to spear-phish victims and infiltrate target networks.
One notable method involves exploiting vulnerabilities in Hancom’s Hangul Word Processor (HWP), a popular productivity software used by public and private entities in South Korea. This exploitation allows ScarCruft to deploy the RokRAT malware.
The RokRAT Backdoor
Initially designed as a Windows backdoor named DOGCALL, RokRAT has undergone active development and maintenance. It has since expanded its reach to other operating systems, including macOS and Android.
Recent targeted phishing campaigns, as reported by the AhnLab Security Emergency Response Center (ASEC) and Check Point, have employed LNK files to initiate multi-stage infection sequences, ultimately leading to the deployment of the RokRAT malware.
RokRAT provides the threat actors with various capabilities, including collecting system metadata, capturing screenshots, executing remote commands, directory enumeration, and the exfiltration of specific files.
ASEC’s disclosure of a ScarCruft attack highlighted the use of a Windows executable disguised as a Hangul document, which drops malware programmed to establish contact with an external URL every 60 minutes.
Although the URL appears legitimate homepage, ASEC noted that it hosts a web shell, indicating malicious intent.