RokRat (DOGCALL) – Malware

Overview

ROKRAT is a cloud-based remote access tool (RAT) utilized by APT37 in targeted campaigns primarily focused on South Korean victims. Since 2016, APT37 has employed ROKRAT across multiple operations until 2021. This backdoor is typically disseminated as an encoded binary file, downloaded and decrypted by shellcode after exploiting weaponized documents. ROKRAT, also known as DOGCALL, boasts capabilities such as screenshot capture, keystroke logging, anti-virtual machine evasion techniques, and integration with cloud storage APIs like Cloud, Box, Dropbox, and Yandex. The initial infection vector involves a malicious LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts responsible for fetching a second-stage ROKRAT shellcode. Once deployed, ROKRAT enables remote command-and-control (C2) operations, data exfiltration, file manipulation (download/upload), and keylogging. While ROKRAT’s core functionalities have remained stable over time, its distribution tactics have evolved. Recent iterations include archives containing LNK files that initiate complex multi-stage infection chains. Initially exclusive to Windows, ROKRAT has expanded its reach to include macOS and Android platforms. The macOS variant, also identified as CloudMensis, was first documented by ESET in July 2022. Concurrently, Android versions such as RambleOn (Cumulus) have emerged, indicating ROKRAT’s adaptability and persistent threat across diverse operating systems.

Targets

Government sectors in South Korea as well as journalists, activists, and North Korean defectors

How they operate

North Korean threat actors, notably associated with APT37 (Inky Squid, RedEyes, Reaper, ScarCruft), deploy sophisticated malware like ROKRAT (DOGCALL) and others with meticulous operational strategies. These operations typically commence with targeted phishing campaigns designed to entice victims into opening malicious attachments or clicking on compromised links. These phishing emails are meticulously crafted with social engineering techniques to exploit human vulnerabilities and increase the likelihood of successful infection. Upon execution, the malware initiates its malicious activities. Initial payloads, often disguised as innocuous files such as LNK shortcuts or document attachments, facilitate the installation of core malware components. These components exploit vulnerabilities in software or employ social engineering tactics to bypass security measures and gain initial access to the target system. Once established, the malware focuses on achieving persistence. It modifies system settings, creates registry entries, or installs itself in hidden directories to ensure continuous access even after system reboots. This persistence is crucial for maintaining long-term control over the compromised system. Communication with remote command and control (C&C) servers forms a critical aspect of the malware’s operation. Through encrypted channels, the malware connects to C&C servers operated by the threat actors. This connection allows for the remote issuance of commands, updates to malware functionalities, and the exfiltration of sensitive data stolen from the compromised system. Data theft and exfiltration are primary objectives of these operations. The malware is programmed to harvest valuable information, including government documents, intellectual property, personal data, and financial information. Stolen data is encrypted and transmitted back to the C&C servers, where it is stored or further exploited for espionage or financial gain. To evade detection and analysis, the malware employs sophisticated evasion techniques. These may include encryption of communication channels, obfuscation of malicious code to thwart static and dynamic analysis, and the use of steganography to conceal data within seemingly harmless files. These techniques enhance operational security and complicate efforts by cybersecurity professionals to detect and mitigate the malware’s impact. Moreover, the malware may download and execute secondary payloads or tools on compromised systems. These secondary tools expand the malware’s capabilities, allowing for activities such as keylogging, screen capturing, or further network exploitation

MITRE tactics and techniques

Enterprise

• Application Layer Protocol: Web Protocols (T1071 .001)
• Application Window Discovery (T1010)
• Audio Capture (T1123)
• Clipboard Data (T1115)
• Command and Scripting Interpreter: Visual Basic (T1059 .005)
• Credentials from Password Stores: Credentials from Web Browsers (T1555 .003)
• Credentials from Password Stores: Windows Credential Manager (T1555 .004)
• Data from Local System (T1005)
• Debugger Evasion (T1622)
• Deobfuscate/Decode Files or Information (T1140)
• Execution Guardrails: Environmental Keying (T1480 .001)
• Exfiltration Over C2 Channel (T1041)
• Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567 .002)
• File and Directory Discovery (T1083)
• Indicator Removal: File Deletion (T1070 .004)
• Ingress Tool Transfer (T1105)
• Input Capture: Keylogging (T1056 .001)
• Modify Registry (T1112)
• Native API (T1106)
• Obfuscated Files or Information (T1027)
• Phishing: Spearphishing Attachment (T1566 .001)
• Process Discovery (T1057)
• Process Injection (T1055)
• Query Registry (T1012)
• Screen Capture (T1113)
• System Information Discovery (T1082)
• System Owner/User Discovery (T1033)
• User Execution: Malicious File (T1204 .002)
• Virtualization/Sandbox Evasion: System Checks (T1497 .001)
• Web Service: Bidirectional Communication (T1102 .002)

 

Significant Malware Campaigns

• The confirmed LNK files contain a command to execute PowerShell via CMD, and their type is similar to the type found in “RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft)” posted last year. (May 2024)

References:

• LNK File Disguised as Certificate Distributing RokRAT Malware
• CHAIN REACTION: ROKRAT’S MISSING LINK
• ITG10 likely targeting South Korean entities of interest to the Democratic People’s Republic of Korea (DPRK)
• ROKRAT
• RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft)