Analysis of APT Group's Use of Malicious LNK Files to Deliver RokRat Attack
May 1, 2024, 11:06 p.m.
Description
The report details a recent cyber attack campaign by the APT-C-28 (ScarCruft) group, known for targeting organizations in Korea and Asia. The campaign utilized a malicious LNK file disguised as a document related to a 'North Korean Human Rights Expert Debate' to deliver the RokRat remote access trojan. When executed, the LNK file deployed a series of PowerShell scripts to download and execute the encrypted RokRat payload from a Dropbox link. Detailed analysis of the attack flow and malware components is provided, highlighting the group's persistent use of cloud services and evolving evasion techniques.
Date
| Published | Created | Modified |
|---|---|---|
| April 29, 2024, 6:40 p.m. | April 29, 2024, 6:40 p.m. | May 1, 2024, 11:06 p.m. |
Indicators
a9cbb1927b391173265ff7a4fdefed59afeddd5b245a2a58c2637b01f87f6119
5237d0498685869d7788406a998e58c829587a1a604106cce7d4042316351e3a
3fd02c7057ef1324ad74714a7fc4b00ac338cfb172a788d98e5a781548b8f027
Attack Patterns
ROKRAT - S0240
APT-C-28 (ScarCruft)
T1096
T1567
T1012
T1574
T1082
T1105
T1083
T1036
T1204
T1027
T1053
T1112
T1059