APT37 - RokRat

March 12, 2025, 12:25 p.m.

Description

APT37, a North Korean state-sponsored hacking group, has expanded its operations to target users on Windows and Android platforms through phishing campaigns. The group's attack vector involves malicious LNK files distributed via group chat platforms. The infection process begins with phishing emails containing ZIP attachments that conceal malicious LNK files. When executed, these files initiate a multi-stage attack using batch scripts and PowerShell, ultimately deploying RokRat as the final payload. RokRat, a remote access Trojan, collects detailed system information, abuses cloud services for command and control, and employs anti-analysis techniques. It can execute remote commands, exfiltrate data, and perform various malicious activities on infected systems.

External References

https://zw01f.github.io/malware%20analysis/apt37/
https://otx.alienvault.com/pulse/67d1765e955b4c08e7d77807
Tags
phishing
north korea
powershell
rokrat
cloud services
lnk files
remote access trojan
2025-03-12

Date

  • Created: March 12, 2025, 11:56 a.m.
  • Published: March 12, 2025, 11:56 a.m.
  • Modified: March 12, 2025, 12:25 p.m.

Indicators

  • cfc814a16547dd4e92607bd42d2722cc567492e88d2830d7d28a0cc20bf3950c
  • 9d96e4816a59475768d461a71cecf20fd99215ce289ecae8c865cf45feeb8802
  • 94159655fa0bfb1eff092835d8922d3e18ca5c73884fd0d8b78f42c8511047b6
  • 6d790df4a2c81e104db10f5e47eb663ca520a456b1305e74f18b2f20758ea4e1
  • 7df7ad7b88887a06b559cd453e7b65230d0cccff1a403328a521d8753000c6c9
  • 5306582c8a24508b594fed478d5abaa5544389c86ba507d8ebf98c5c7edde451
  • 09a4adef9a7374616851e5e2a7d9539e1b9808e153538af94ad1d6d73a3a1232
  • 2b6928101efa6ededc7da18e7894866710c10794b8cbaf43b48c721e9731c41a
  • 1c4cd06ebece62c796ea517bf26cc869fa71213d17e30feb0f91c8a4cfa7ef1b
Download all indicators here!

Attack Patterns

  • ROKRAT - S0240
  • APT37

Additional Informations

  • Healthcare
  • Manufacturing
  • Japan