Security researchers have identified a sophisticated attack campaign attributed to APT37, a North Korean state-sponsored hacking group also known as ScarCruft, Reaper, and Red Eyes.
The group, active since 2012, has expanded its targets from South Korea to include Japan, Vietnam, the Middle East, and industries like healthcare and manufacturing.
Their latest attack leverages ZIP file attachments containing hidden malicious LNK files that deploy the RokRat remote access trojan through a multi-stage process.
While the security analyst, Mohamed Ezat from ZW01f noted that the attack begins with phishing emails containing ZIP attachments that conceal malicious LNK files masquerading as documents related to North Korean affairs or trade agreements.
These emails are crafted to appear legitimate, often incorporating real information from websites to enhance credibility.
When a victim opens what appears to be a document, they unknowingly trigger the first stage of a complex infection chain.
Upon execution, the LNK file initiates a sequence that extracts multiple payloads and saves them to the victim’s temporary directory.
.webp)
The infection flow demonstrates how the initial LNK file serves as a loader for subsequent stages. This technique helps the attackers evade detection by security solutions that focus solely on the initial file.
The LNK file contains embedded code that executes PowerShell commands to extract multiple components: a decoy HWPX document (a Korean document format), executable data files, and a batch script.
The PowerShell commands look for the LNK file itself by searching for files with a specific size, then extracts data from predetermined offsets within the file structure.
Technical Analysis of the Attack Chain
The first stage begins with the LNK file executing PowerShell code that extracts several files at specific byte offsets. For example, at offset 0x111E, it extracts 0xAD36 bytes and saves it as an HWPX file, which serves as a decoy document.
The extracted files include caption.dat, elephant.dat, and shark.bat, with the latter being executed immediately.
.webp)
The LNK command line invokes PowerShell to perform these operations. The shark.bat file launches PowerShell in a hidden window that reads elephant.dat from the temporary directory.
This PowerShell script then decrypts caption.dat using a single-byte XOR key ‘d’. The decrypted content is loaded directly into memory using Windows API functions like VirtualProtect and CreateThread, avoiding writing the final payload to disk.
This fileless approach significantly reduces the chance of detection by traditional antivirus solutions.
The final payload, RokRat, is a sophisticated remote access trojan that collects detailed system information, including OS version, hardware details, running processes, and screenshots.
It uses cloud services like pCloud, Yandex, and Dropbox as command and control channels, hiding its communications by spoofing legitimate Googlebot user-agent strings.
.webp)
The malware has low detection rates despite its advanced capabilities.
RokRat includes anti-analysis features that detect virtual machines and debugging environments, allowing it to evade security researchers.
It also includes multiple command functions that enable attackers to execute remote commands, scan drives, collect files, and download additional payloads, making it a versatile tool for espionage and data theft operations.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
