Today > | 1 Medium vulnerabilities   -   You can now download lists of IOCs here!

Analysis of APT Group's Use of Malicious LNK Files to Deliver RokRat Attack

May 1, 2024, 11:06 p.m.

Description

The report details a recent cyber attack campaign by the APT-C-28 (ScarCruft) group, known for targeting organizations in Korea and Asia. The campaign utilized a malicious LNK file disguised as a document related to a 'North Korean Human Rights Expert Debate' to deliver the RokRat remote access trojan. When executed, the LNK file deployed a series of PowerShell scripts to download and execute the encrypted RokRat payload from a Dropbox link. Detailed analysis of the attack flow and malware components is provided, highlighting the group's persistent use of cloud services and evolving evasion techniques.

Date

Published: April 29, 2024, 6:40 p.m.

Created: April 29, 2024, 6:40 p.m.

Modified: May 1, 2024, 11:06 p.m.

Indicators

a9cbb1927b391173265ff7a4fdefed59afeddd5b245a2a58c2637b01f87f6119

5237d0498685869d7788406a998e58c829587a1a604106cce7d4042316351e3a

3fd02c7057ef1324ad74714a7fc4b00ac338cfb172a788d98e5a781548b8f027

Attack Patterns

ROKRAT - S0240

APT-C-28 (ScarCruft)

T1096

T1567

T1012

T1574

T1082

T1105

T1083

T1036

T1204

T1027

T1053

T1112

T1059