Reaper Uses New TTPs to Drop RokRAT
Contents
Related Families: CloudMensis, RambleOn
Executive Summary
Reaper was recently observed using new TTPs to drop RokRAT. The infection chain leveraged LNK files delivered via the energy sector and politically themed phishing emails.
Key Takeaways
- Reaper was recently observed using new TTPs to drop RokRAT.
- The infection chain used LNK files to deliver RokRAT.
- In the campaign, Reaper used cloud storage services for C2.
What is RokRAT
Check Point reported on RokRAT, a malware family used by Reaper to target entities in South Korea. RokRAT, also known as DogCall, has been in the wild since at least 2017. There is also a Mac variant of RokRAT, known as CloudMensis, and an Android variant, known as RambleOn.
RokRAT is used for credential theft, data exfiltration, capturing screenshots, gathering system information, executing commands and shellcode, and managing files and directories. Reaper often uses cloud storage services for C2.
While RokRAT has not changed much over the years, the TTPs used …
Executive Summary
Reaper was recently observed using new TTPs to drop RokRAT. The infection chain leveraged LNK files delivered via the energy sector and politically themed phishing emails.
Key Takeaways
- Reaper was recently observed using new TTPs to drop RokRAT.
- The infection chain used LNK files to deliver RokRAT.
- In the campaign, Reaper used cloud storage services for C2.
What is RokRAT
Check Point reported on RokRAT, a malware family used by Reaper to target entities in South Korea. RokRAT, also known as DogCall, has been in the wild since at least 2017. There is also a Mac variant of RokRAT, known as CloudMensis, and an Android variant, known as RambleOn.
RokRAT is used for credential theft, data exfiltration, capturing screenshots, gathering system information, executing commands and shellcode, and managing files and directories. Reaper often uses cloud storage services for C2.
While RokRAT has not changed much over the years, the TTPs used …
IoC
0e926d8b6fbf6f14a2a19d4d4af843253f9f5f6de337956a12dde279f3321d78
12ecabf01508c40cfea1ebc3958214751acfb1cd79a5bf2a4b42ebf172d7381b
1e0b5d6b85fca648061fdaf2830c5a90248519e81e78122467c29beeb78daa1e
240e7bd805bd7f2d17217dd4cebc03ac37ee60b7fb1264655cfd087749db647a
6753933cd54e4eba497c48d63c7418a8946b4b6c44170105d489d29f1fe11494
852607619f1de73d78b4e0de2cc5f37217cfda62bdc339093fb003e202d3d9e3
f92297c4efabba98befeb992a009462d1aba6f3c3a11210a7c054ff5377f0753
12ecabf01508c40cfea1ebc3958214751acfb1cd79a5bf2a4b42ebf172d7381b
1e0b5d6b85fca648061fdaf2830c5a90248519e81e78122467c29beeb78daa1e
240e7bd805bd7f2d17217dd4cebc03ac37ee60b7fb1264655cfd087749db647a
6753933cd54e4eba497c48d63c7418a8946b4b6c44170105d489d29f1fe11494
852607619f1de73d78b4e0de2cc5f37217cfda62bdc339093fb003e202d3d9e3
f92297c4efabba98befeb992a009462d1aba6f3c3a11210a7c054ff5377f0753