LNK File Disguised as Certificate Distributing RokRAT Malware

May 7, 2024, 8:48 a.m.

Description

This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file as a decoy, while deploying the RokRAT backdoor malware capable of collecting user information and performing various malicious activities at the threat actor's command using cloud services like pCloud, Yandex, and DropBox. The report provides insights into the operation structure, malicious behaviors, and indicators of compromise associated with this campaign.

Date

Published: May 7, 2024, 8:32 a.m.

Created: May 7, 2024, 8:32 a.m.

Modified: May 7, 2024, 8:48 a.m.

Indicators

w.sarah0808@gmail.com

tanessha.samuel@gmail.com

tianling0315@gmail.com

softpower21cs@gmail.com

Attack Patterns

ROKRAT - S0240

T1567

T1012

T1574

T1057

T1105

T1083

T1071

T1140

T1059