S0240 ROKRAT
ROKRAT is a cloud-based remote access tool (RAT) used by APT37 to target victims in South Korea. APT37 has used ROKRAT during several campaigns from 2016 through 2021.123
| Item | Value |
|---|---|
| ID | S0240 |
| Associated Names | |
| Type | MALWARE |
| Version | 2.3 |
| Created | 17 October 2018 |
| Last Modified | 30 March 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | ROKRAT can use HTTP and HTTPS for command and control communication.165 |
| enterprise | T1010 | Application Window Discovery | ROKRAT can use the GetForegroundWindow and GetWindowText APIs to discover where the user is typing.1 |
| enterprise | T1123 | Audio Capture | ROKRAT has an audio capture and eavesdropping module.7 |
| enterprise | T1115 | Clipboard Data | ROKRAT can extract clipboard data from a compromised host.3 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.005 | Visual Basic | ROKRAT has used Visual Basic for execution.5 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | ROKRAT can steal credentials stored in Web browsers by querying the sqlite database.2 |
| enterprise | T1555.004 | Windows Credential Manager | ROKRAT can steal credentials by leveraging the Windows Vault mechanism.2 |
| enterprise | T1005 | Data from Local System | ROKRAT can collect host data and specific file types.635 |
| enterprise | T1622 | Debugger Evasion | ROKRAT can check for debugging tools.265 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | ROKRAT can decrypt strings using the victim’s hostname as the key.35 |
| enterprise | T1480 | Execution Guardrails | - |
| enterprise | T1480.001 | Environmental Keying | ROKRAT relies on a specific victim hostname to execute and decrypt important strings.3 |
| enterprise | T1041 | Exfiltration Over C2 Channel | ROKRAT can send collected files back over same C2 channel.1 |
| enterprise | T1567 | Exfiltration Over Web Service | - |
| enterprise | T1567.002 | Exfiltration to Cloud Storage | ROKRAT can send collected data to cloud storage services such as PCloud.53 |
| enterprise | T1083 | File and Directory Discovery | ROKRAT has the ability to gather a list of files and directories on the infected system.763 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | ROKRAT can request to delete files.6 |
| enterprise | T1105 | Ingress Tool Transfer | ROKRAT can retrieve additional malicious payloads from its C2 server.1635 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | ROKRAT can use SetWindowsHookEx and GetKeyNameText to capture keystrokes.13 |
| enterprise | T1112 | Modify Registry | ROKRAT can modify the HKEY_CURRENT_USER\Software\Microsoft\Office\ registry key so it can bypass the VB object model (VBOM) on a compromised host.5 |
| enterprise | T1106 | Native API | ROKRAT can use a variety of API calls to execute shellcode.5 |
| enterprise | T1027 | Obfuscated Files or Information | ROKRAT can encrypt data prior to exfiltration by using an RSA public key.35 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | ROKRAT has been delivered via spearphishing emails that contain a malicious Hangul Office or Microsoft Word document.5 |
| enterprise | T1057 | Process Discovery | ROKRAT can list the current running processes on the system.16 |
| enterprise | T1055 | Process Injection | ROKRAT can use VirtualAlloc, WriteProcessMemory, and then CreateRemoteThread to execute shellcode within the address space of Notepad.exe.5 |
| enterprise | T1012 | Query Registry | ROKRAT can access the HKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosData Registry key to obtain the System manufacturer value to identify the machine type.2 |
| enterprise | T1113 | Screen Capture | ROKRAT can capture screenshots of the infected system using the gdi32 library.14765 |
| enterprise | T1082 | System Information Discovery | ROKRAT can gather the hostname and the OS version to ensure it doesn’t run on a Windows XP or Windows Server 2003 systems.147635 |
| enterprise | T1033 | System Owner/User Discovery | ROKRAT can collect the username from a compromised host.5 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | ROKRAT has relied upon users clicking on a malicious attachment delivered through spearphishing.5 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | ROKRAT can check for VMware-related files and DLLs related to sandboxes.265 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.002 | Bidirectional Communication | ROKRAT has used legitimate social networking sites and cloud platforms (including but not limited to Twitter, Yandex, Dropbox, and Mediafire) for C2 communications.173 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0067 | APT37 | 27 |
References
-
Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018. ↩↩↩↩↩↩↩↩↩↩
-
Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018. ↩↩↩↩↩↩↩
-
Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩
-
Mercer, W., Rascagneres, P. (2017, November 28). ROKRAT Reloaded. Retrieved May 21, 2018. ↩↩
-
Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020. ↩↩↩↩↩↩↩↩↩↩
-
GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019. ↩↩↩↩↩↩