"South Korean Lures Used to Deploy ROKRAT Malware"

Security researchers at Check Point Research have discovered that the North Korean threat actor known as APT37 has been changing deployment methods and using South Korean foreign and domestic affairs-themed lures with archives containing Windows shortcut (LNK) files that initiate ROKRAT infection chains.  The researchers stated that their findings suggest that various multi-stage infection chains used to eventually load ROKRAT were utilized in other attacks, leading to the deployment of additional tools affiliated with the same actor.  Those tools include another custom backdoor, Goldbackdoor, and the commodity malware Amadey.  The researchers noted that ROKRAT infection chains, first spotted in 2017, historically involved a malicious Hangul Word Processor (HWP) document with an exploit or a Microsoft Word document with macros.   While some ROKRAT samples still use these techniques, the researchers observed a shift to delivering ROKRAT with LNK files disguised as legitimate documents.  The researchers noted that this shift is not exclusive to ROKRAT but represents a larger trend that became very popular in 2022.  In July of that year, Microsoft began blocking macros in Office applications by default in an effort to minimize the spread of malware.  The researchers stated that, technically, ROKRAT mainly focuses on running additional payloads designed for data exfiltration.  It relies on cloud infrastructure for C&C functions, including DropBox, pCloud, Yandex Cloud, and OneDrive.  ROKRAT also collects information about the machine to prevent further infection of unintended victims.

Infosecurity reports: "South Korean Lures Used to Deploy ROKRAT Malware"