LNK File Disguised as Certificate Distributing RokRAT Malware

May 7, 2024, 8:48 a.m.

Description

This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file as a decoy, while deploying the RokRAT backdoor malware capable of collecting user information and performing various malicious activities at the threat actor's command using cloud services like pCloud, Yandex, and DropBox. The report provides insights into the operation structure, malicious behaviors, and indicators of compromise associated with this campaign.

External References

https://asec.ahnlab.com/en/65076/
https://otx.alienvault.com/pulse/6639e72bb6d0e95b85e6d981
Tags
backdoor
lnk
rokrat
2024-05-03
2024-05-04
2024-05-05
2024-05-06
2024-05-07

Date

  • Created: May 7, 2024, 8:32 a.m.
  • Published: May 7, 2024, 8:32 a.m.
  • Modified: May 7, 2024, 8:48 a.m.

Indicators

  • w.sarah0808@gmail.com
  • tanessha.samuel@gmail.com
  • tianling0315@gmail.com
  • softpower21cs@gmail.com
Download all indicators here!

Attack Patterns

  • ROKRAT - S0240