Cybersecurity researchers have analyzed the RokRAT remote access trojan used by the North Korean state-sponsored group ScarCruft. RokRAT is a sophisticated RAT that plays a critical role in the attack chain, granting unauthorized access, extracting sensitive information, and potentially maintaining control over compromised systems.
ScarCruft, operating since 2012, is a cyber espionage group affiliated with North Korea’s Ministry of State Security (MSS), with a focus on targeting South Korean entities. Their attack techniques involve social engineering, spear-phishing, and exploiting vulnerabilities in widely used software, such as Hancom’s Hangul Word Processor.
RokRAT, also known as DOGCALL, is a Windows backdoor actively developed and maintained by ScarCruft. It has also been adapted for other operating systems, including macOS and Android.
Recent spear-phishing attacks have been observed using LNK files to trigger multi-stage infections leading to the deployment of RokRAT. The trojan enables the adversary to gather system metadata, capture screenshots, execute remote commands, enumerate directories, and exfiltrate selected files.
A recent disclosure by AhnLab Security Emergency Response Center (ASEC) highlighted a ScarCruft attack that disguises a Windows executable as a Hangul document, dropping malware configured to contact an external URL every 60 minutes. ASEC noted that although the URL appears to be a regular homepage, it actually contains a web shell, indicating the presence of malicious activity.
These findings provide insight into ScarCruft’s persistent cyber espionage activities and their use of RokRAT as a powerful tool for compromising targeted systems and exfiltrating sensitive data.
