• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
Alert: North Korean Hackers Targeting South Korea With Rokrat Trojan

ALERT: North Korean hackers targeting South Korea with RokRat Trojan

You are here: Home / General Cyber Security News / ALERT: North Korean hackers targeting South Korea with RokRat Trojan

A North Korean hacking group has been uncovered deploying the RokRat Trojan in a new spear-phishing marketing campaign focusing on the South Korean government.

Attributing the attack to APT37 (aka Starcruft, Ricochet Chollima, or Reaper), Malwarebytes explained it identified a malicious doc final December that, when opened, executes a macro in memory to set up the aforementioned remote entry device (RAT).

“The file incorporates an embedded macro that makes use of a VBA self decoding technique to decode by itself in the memory areas of Microsoft Place of work with out crafting to the disk. It then embeds a variant of the RokRat into Notepad,” the researchers pointed out in a Wednesday assessment.

✔ Approved Seller by TheCyberSecurity.News From Our Partners
Mcafee Total Protection 2021

Protect yourself against all threads using McAfee. Get McAfee Total Protection with 80% discount from our partner and an certified seller: SerialCart®.

➤ Activate Your Coupon Code


Considered to be active at the very least because 2012, the Reaper APT is known for its emphasis on public and non-public entities primarily in South Korea, this sort of as chemical substances, electronics, production, aerospace, automotive, and healthcare entities. Due to the fact then, their victimization has expanded beyond the Korean peninsula to include Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other components of the Middle East.

Whilst the past attacks leveraged malware-laced Hangul Word Processor (HWP) paperwork, the use of self-decoding VBA Office environment files to produce RokRat suggests a improve in practices for APT37, the researchers said.

The Microsoft VBA document uploaded to VirusTotal in December purported to be a conference request dated January 23, 2020, implying that attacks took area just about a yr in the past.

Main amid the obligations of the macro embedded in the file is to inject shellcode to a Notepad.exe process that downloads the RokRat payload in encrypted structure from a Google Drive URL.

RokRat — first publicly documented by Cisco Talos in 2017 — is a RAT of decision for APT37, with the team employing it for a range of strategies due to the fact 2016. A Windows-centered backdoor distributed through trojanized documents, it is capable of capturing screenshots, logging keystrokes, evading analysis with anti-virtual machine detections, and leveraging cloud storage APIs these kinds of as Box, Dropbox, and Yandex.

In 2019, the cloud service-dependent RAT gained extra features to steal Bluetooth system information as element of an intelligence-accumulating effort directed from financial commitment and trading organizations in Vietnam and Russia and a diplomatic agency in Hong Kong.

“The circumstance we analyzed is a single of the few the place they did not use HWP information as their phish documents and alternatively utilised Microsoft Business office paperwork weaponized with a self decode macro,” the researchers concluded. “That method is a intelligent option that can bypass several static detection mechanisms and hide the major intent of a destructive document.”

Uncovered this write-up exciting? Adhere to THN on Fb, Twitter  and LinkedIn to study more exclusive content we article.


Some components of this report are sourced from:
thehackernews.com

Previous Post: «Bugs In Firefox, Chrome, Edge Allow Remote System Hijacking Bugs in Firefox, Chrome, Edge Allow Remote System Hijacking
Next Post: CEO Refutes Reports of Involvement in SolarWinds Campaign Cyber Security News»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Recent Posts

  • Big Tech Bans Social Networking App
  • Lack of Funding Could Lead to “Lost Generation” of Cyber-Startups
  • Unveiled: SUNSPOT Malware Was Used to Inject SolarWinds Backdoor
  • ‘I’ll Teams you’: Employees assume security of links, file sharing via Microsoft comms platform
  • DarkSide decryptor unlocks systems without ransom payment – for now
  • Researchers see links between SolarWinds Sunburst malware and Russian Turla APT group
  • Millions of Social Profiles Leaked by Chinese Data-Scrapers
  • Feds will weigh whether cyber best practices were followed when assessing HIPAA fines
  • SolarWinds Hack Potentially Linked to Turla APT
  • 10 quick tips to identifying phishing emails

Copyright © TheCyberSecurity.News, All Rights Reserved.