APT37 - RokRat
Contents
APT37 - RokRat
Meet APT37 Group
APT37, also known as ScarCruft, Reaper, and Red Eyes, is a North Korean state-sponsored hacking group that has been active since 2012. Originally, its operations focused on public and private sectors within South Korea, though in 2017, it extended its targets to include Japan, Vietnam, the Middle East, and industries such as healthcare and manufacturing. By 2023, APT37 had shifted to phishing campaigns targeting users on both Windows and Android platforms.
The group is known for leveraging various attack vectors, including malicious LNK files spread via group chat platforms to infect victims.
Technical in Points
-
Infection Vector: The attack begins with phishing emails containing ZIP attachments that hide malicious LNK files, masquerading as documents related to North Korean affairs or trade agreements. When executed, the LNK file starts a multi-stage attack using batch scripts and PowerShell, finally having RokRat as the final payload.
-
Host Profiling: RoTRat collects detailed system information, …
Meet APT37 Group
APT37, also known as ScarCruft, Reaper, and Red Eyes, is a North Korean state-sponsored hacking group that has been active since 2012. Originally, its operations focused on public and private sectors within South Korea, though in 2017, it extended its targets to include Japan, Vietnam, the Middle East, and industries such as healthcare and manufacturing. By 2023, APT37 had shifted to phishing campaigns targeting users on both Windows and Android platforms.
The group is known for leveraging various attack vectors, including malicious LNK files spread via group chat platforms to infect victims.
Technical in Points
-
Infection Vector: The attack begins with phishing emails containing ZIP attachments that hide malicious LNK files, masquerading as documents related to North Korean affairs or trade agreements. When executed, the LNK file starts a multi-stage attack using batch scripts and PowerShell, finally having RokRat as the final payload.
-
Host Profiling: RoTRat collects detailed system information, …
IoC
7df7ad7b88887a06b559cd453e7b65230d0cccff1a403328a521d8753000c6c9
2b6928101efa6ededc7da18e7894866710c10794b8cbaf43b48c721e9731c41a
1c4cd06ebece62c796ea517bf26cc869fa71213d17e30feb0f91c8a4cfa7ef1b
94159655fa0bfb1eff092835d8922d3e18ca5c73884fd0d8b78f42c8511047b6
09a4adef9a7374616851e5e2a7d9539e1b9808e153538af94ad1d6d73a3a1232
9d96e4816a59475768d461a71cecf20fd99215ce289ecae8c865cf45feeb8802
5306582c8a24508b594fed478d5abaa5544389c86ba507d8ebf98c5c7edde451
cfc814a16547dd4e92607bd42d2722cc567492e88d2830d7d28a0cc20bf3950c
6d790df4a2c81e104db10f5e47eb663ca520a456b1305e74f18b2f20758ea4e1
rule detct_RokRat
{
meta:
description = "Detects Rokrat payload using some of the hardcoded strings "
author = "Mohamed Ezzat (@ZW01f)"
hash1 = "09a4adef9a7374616851e5e2a7d9539e1b9808e153538af94ad1d6d73a3a1232"
hash2 = "94159655fa0bfb1eff092835d8922d3e18ca5c73884fd0d8b78f42c8511047b6"
strings:
// apis used
$s0 = "https://api.pcloud.com/deletefile?path=%s" wide
$s1 = "https://api.dropboxapi.com/2/files/list_folder" wide
$s3 = "https://cloud-api.yandex.net/v1/disk/resources/upload?path=%s&overwrite=%s" wide
$s4 = "https://cloud-api.yandex.net/v1/disk/resources?path=%s&limit=500" wide
$s5 = "https://cloud-api.yandex.net/v1/disk/resources?path=%s&permanently=%s" wide
// file it use for download payloads .
$s6 = "KB400928_doc.exe"
$s7 = "%04d%02d%02d %02d%02d%02d" wide
condition:
uint16(0) == 0x5A4D and all of ($s*)
}
2b6928101efa6ededc7da18e7894866710c10794b8cbaf43b48c721e9731c41a
1c4cd06ebece62c796ea517bf26cc869fa71213d17e30feb0f91c8a4cfa7ef1b
94159655fa0bfb1eff092835d8922d3e18ca5c73884fd0d8b78f42c8511047b6
09a4adef9a7374616851e5e2a7d9539e1b9808e153538af94ad1d6d73a3a1232
9d96e4816a59475768d461a71cecf20fd99215ce289ecae8c865cf45feeb8802
5306582c8a24508b594fed478d5abaa5544389c86ba507d8ebf98c5c7edde451
cfc814a16547dd4e92607bd42d2722cc567492e88d2830d7d28a0cc20bf3950c
6d790df4a2c81e104db10f5e47eb663ca520a456b1305e74f18b2f20758ea4e1
rule detct_RokRat
{
meta:
description = "Detects Rokrat payload using some of the hardcoded strings "
author = "Mohamed Ezzat (@ZW01f)"
hash1 = "09a4adef9a7374616851e5e2a7d9539e1b9808e153538af94ad1d6d73a3a1232"
hash2 = "94159655fa0bfb1eff092835d8922d3e18ca5c73884fd0d8b78f42c8511047b6"
strings:
// apis used
$s0 = "https://api.pcloud.com/deletefile?path=%s" wide
$s1 = "https://api.dropboxapi.com/2/files/list_folder" wide
$s3 = "https://cloud-api.yandex.net/v1/disk/resources/upload?path=%s&overwrite=%s" wide
$s4 = "https://cloud-api.yandex.net/v1/disk/resources?path=%s&limit=500" wide
$s5 = "https://cloud-api.yandex.net/v1/disk/resources?path=%s&permanently=%s" wide
// file it use for download payloads .
$s6 = "KB400928_doc.exe"
$s7 = "%04d%02d%02d %02d%02d%02d" wide
condition:
uint16(0) == 0x5A4D and all of ($s*)
}