Analysis of APT Group's Use of Malicious LNK Files to Deliver RokRat Attack

May 1, 2024, 11:06 p.m.

Description

The report details a recent cyber attack campaign by the APT-C-28 (ScarCruft) group, known for targeting organizations in Korea and Asia. The campaign utilized a malicious LNK file disguised as a document related to a 'North Korean Human Rights Expert Debate' to deliver the RokRat remote access trojan. When executed, the LNK file deployed a series of PowerShell scripts to download and execute the encrypted RokRat payload from a Dropbox link. Detailed analysis of the attack flow and malware components is provided, highlighting the group's persistent use of cloud services and evolving evasion techniques.

External References

https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA%3D%3D&mid=2247498025&idx=1&sn=336c94786f14060ae5c583dc8c77370b&chksm=f9c1ca20ceb64336d678e5265df8264b81625947557b3ab882ec7f362bdf384ffe42e382ae8a&scene=178&cur_album_id=1955835290309230595
https://otx.alienvault.com/pulse/662fe9890daf0672d674c778
Tags
apt
lnk
rokrat
cloud
korea

Date

  • Created: April 29, 2024, 6:40 p.m.
  • Published: April 29, 2024, 6:40 p.m.
  • Modified: May 1, 2024, 11:06 p.m.

Indicators

  • a9cbb1927b391173265ff7a4fdefed59afeddd5b245a2a58c2637b01f87f6119
  • 5237d0498685869d7788406a998e58c829587a1a604106cce7d4042316351e3a
  • 3fd02c7057ef1324ad74714a7fc4b00ac338cfb172a788d98e5a781548b8f027
Download all indicators here!

Attack Patterns

  • ROKRAT - S0240
  • APT-C-28 (ScarCruft)
  • T1096
  • T1567
  • T1012
  • T1574
  • T1082
  • T1105
  • T1083
  • T1036
  • T1204
  • T1027
  • T1053
  • T1112
  • T1059