Analysis of APT Group's Use of Malicious LNK Files to Deliver RokRat Attack

Tags

External References

• https://mp.weixin.qq.com/
• https://otx.alienvault.com/

Description

The report details a recent cyber attack campaign by the APT-C-28 (ScarCruft) group, known for targeting organizations in Korea and Asia. The campaign utilized a malicious LNK file disguised as a document related to a 'North Korean Human Rights Expert Debate' to deliver the RokRat remote access trojan. When executed, the LNK file deployed a series of PowerShell scripts to download and execute the encrypted RokRat payload from a Dropbox link. Detailed analysis of the attack flow and malware components is provided, highlighting the group's persistent use of cloud services and evolving evasion techniques.

Date