LNK File Disguised as Certificate Distributing RokRAT Malware
May 7, 2024, 8:48 a.m.
Tags
External References
Description
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file as a decoy, while deploying the RokRAT backdoor malware capable of collecting user information and performing various malicious activities at the threat actor's command using cloud services like pCloud, Yandex, and DropBox. The report provides insights into the operation structure, malicious behaviors, and indicators of compromise associated with this campaign.
Date
Published: May 7, 2024, 8:32 a.m.
Created: May 7, 2024, 8:32 a.m.
Modified: May 7, 2024, 8:48 a.m.
Indicators
w.sarah0808@gmail.com
tanessha.samuel@gmail.com
tianling0315@gmail.com
softpower21cs@gmail.com
Attack Patterns
ROKRAT - S0240
T1567
T1012
T1574
T1057
T1105
T1083
T1071
T1140
T1059