Skip to content


ROKRAT is a cloud-based remote access tool (RAT) used by APT37 to target victims in South Korea. APT37 has used ROKRAT during several campaigns from 2016 through 2021.123

Item Value
ID S0240
Associated Names
Version 2.3
Created 17 October 2018
Last Modified 30 March 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols ROKRAT can use HTTP and HTTPS for command and control communication.167
enterprise T1010 Application Window Discovery ROKRAT can use the GetForegroundWindow and GetWindowText APIs to discover where the user is typing.1
enterprise T1123 Audio Capture ROKRAT has an audio capture and eavesdropping module.5
enterprise T1115 Clipboard Data ROKRAT can extract clipboard data from a compromised host.3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.005 Visual Basic ROKRAT has used Visual Basic for execution.7
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers ROKRAT can steal credentials stored in Web browsers by querying the sqlite database.2
enterprise T1555.004 Windows Credential Manager ROKRAT can steal credentials by leveraging the Windows Vault mechanism.2
enterprise T1005 Data from Local System ROKRAT can collect host data and specific file types.637
enterprise T1622 Debugger Evasion ROKRAT can check for debugging tools.267
enterprise T1140 Deobfuscate/Decode Files or Information ROKRAT can decrypt strings using the victim’s hostname as the key.37
enterprise T1480 Execution Guardrails -
enterprise T1480.001 Environmental Keying ROKRAT relies on a specific victim hostname to execute and decrypt important strings.3
enterprise T1041 Exfiltration Over C2 Channel ROKRAT can send collected files back over same C2 channel.1
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage ROKRAT can send collected data to cloud storage services such as PCloud.73
enterprise T1083 File and Directory Discovery ROKRAT has the ability to gather a list of files and directories on the infected system.563
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion ROKRAT can request to delete files.6
enterprise T1105 Ingress Tool Transfer ROKRAT can retrieve additional malicious payloads from its C2 server.1637
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging ROKRAT can use SetWindowsHookEx and GetKeyNameText to capture keystrokes.13
enterprise T1112 Modify Registry ROKRAT can modify the HKEY_CURRENT_USER\Software\Microsoft\Office\ registry key so it can bypass the VB object model (VBOM) on a compromised host.7
enterprise T1106 Native API ROKRAT can use a variety of API calls to execute shellcode.7
enterprise T1027 Obfuscated Files or Information ROKRAT can encrypt data prior to exfiltration by using an RSA public key.37
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment ROKRAT has been delivered via spearphishing emails that contain a malicious Hangul Office or Microsoft Word document.7
enterprise T1057 Process Discovery ROKRAT can list the current running processes on the system.16
enterprise T1055 Process Injection ROKRAT can use VirtualAlloc, WriteProcessMemory, and then CreateRemoteThread to execute shellcode within the address space of Notepad.exe.7
enterprise T1012 Query Registry ROKRAT can access the HKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosData Registry key to obtain the System manufacturer value to identify the machine type.2
enterprise T1113 Screen Capture ROKRAT can capture screenshots of the infected system using the gdi32 library.14567
enterprise T1082 System Information Discovery ROKRAT can gather the hostname and the OS version to ensure it doesn’t run on a Windows XP or Windows Server 2003 systems.145637
enterprise T1033 System Owner/User Discovery ROKRAT can collect the username from a compromised host.7
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File ROKRAT has relied upon users clicking on a malicious attachment delivered through spearphishing.7
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks ROKRAT can check for VMware-related files and DLLs related to sandboxes.267
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication ROKRAT has used legitimate social networking sites and cloud platforms (including but not limited to Twitter, Yandex, Dropbox, and Mediafire) for C2 communications.153

Groups That Use This Software

ID Name References
G0067 APT37 25


Back to top