Introducing ROKRAT
Contents
This blog was authored by Warren Mercer and Paul Rascagneres with contributions from Matthew Molyett.
Executive Summary
A few weeks ago, Talos published research on a Korean MalDoc. As we previously discussed this actor is quick to cover their tracks and very quickly cleaned up their compromised hosts. We believe the compromised infrastructure was live for a mere matter of hours during any campaign. We identified a new campaign, again leveraging a malicious Hangul Word Processor (HWP) document. After analyzing the final payload, we determined the winner was… a Remote Administration Tool, which we have named ROKRAT.
Like in the previous post, the campaign started with a spear phishing email containing a malicious attachment, the HWP document. One of the identified emails was sent from the email server of Yonsei, a private university in Seoul. The address used in the email was '[email protected]' which is the contact email of the Korea Global Forum …
Executive Summary
A few weeks ago, Talos published research on a Korean MalDoc. As we previously discussed this actor is quick to cover their tracks and very quickly cleaned up their compromised hosts. We believe the compromised infrastructure was live for a mere matter of hours during any campaign. We identified a new campaign, again leveraging a malicious Hangul Word Processor (HWP) document. After analyzing the final payload, we determined the winner was… a Remote Administration Tool, which we have named ROKRAT.
Like in the previous post, the campaign started with a spear phishing email containing a malicious attachment, the HWP document. One of the identified emails was sent from the email server of Yonsei, a private university in Seoul. The address used in the email was '[email protected]' which is the contact email of the Korea Global Forum …
IoC
051463a14767c6477b6dacd639f30a8a5b9e126ff31532b58fc29c8364604d00
5441f45df22af63498c63a49aae82065086964f9067cfa75987951831017bd4f
7d163e36f47ec56c9fe08d758a0770f1778fa30af68f39aac80441a3f037761e
cd166565ce09ef410c5bba40bad0b49441af6cfb48772e7e4a9de3d646b4851c
http://acddesigns.com.au/clients/ACPRCM/kingstone.jpg
http://discgolfglow.com/wp-content/plugins/maintenance/images/worker.jpg
[email protected]
[email protected]
5441f45df22af63498c63a49aae82065086964f9067cfa75987951831017bd4f
7d163e36f47ec56c9fe08d758a0770f1778fa30af68f39aac80441a3f037761e
cd166565ce09ef410c5bba40bad0b49441af6cfb48772e7e4a9de3d646b4851c
http://acddesigns.com.au/clients/ACPRCM/kingstone.jpg
http://discgolfglow.com/wp-content/plugins/maintenance/images/worker.jpg
[email protected]
[email protected]