Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat
Contents
This post was authored by Hossein Jazi
On December 7 2020 we identified a malicious document uploaded to Virus Total which was purporting to be a meeting request likely used to target the government of South Korea. The meeting date mentioned in the document was 23 Jan 2020, which aligns with the document compilation time of 27 Jan 2020, indicating that this attack took place almost a year ago.
The file contains an embedded macro that uses a VBA self decoding technique to decode itself within the memory spaces of Microsoft Office without writing to the disk. It then embeds a variant of the RokRat into Notepad.
Based on the injected payload, we believe that this sample is associated with APT37. This North Korean group is also known as ScarCruft, Reaper and Group123 and has been active since at least 2012, primarily targeting victims in South Korea.
In the past, this APT has relied …
On December 7 2020 we identified a malicious document uploaded to Virus Total which was purporting to be a meeting request likely used to target the government of South Korea. The meeting date mentioned in the document was 23 Jan 2020, which aligns with the document compilation time of 27 Jan 2020, indicating that this attack took place almost a year ago.
The file contains an embedded macro that uses a VBA self decoding technique to decode itself within the memory spaces of Microsoft Office without writing to the disk. It then embeds a variant of the RokRat into Notepad.
Based on the injected payload, we believe that this sample is associated with APT37. This North Korean group is also known as ScarCruft, Reaper and Group123 and has been active since at least 2012, primarily targeting victims in South Korea.
In the past, this APT has relied …
IoC
2A253C2AA1DB3F809C86F410E4BD21F680B7235D951567F24D614D8E4D041576
3c59ad7c4426e8396369f084c35a2bd3f0caa3ba1d1a91794153507210a77c90
676AE680967410E0F245DF0B6163005D8799C84E2F8F87BAD6B5E30295554E08
A42844FC9CB7F80CA49726B3589700FA47BDACF787202D0461C753E7C73CFD2A
C7CCD2AEE0BDDAF0E6C8F68EDBA14064E4A9948981231491A87A277E0047C0CB
http://bit.ly/2Np1enh
3c59ad7c4426e8396369f084c35a2bd3f0caa3ba1d1a91794153507210a77c90
676AE680967410E0F245DF0B6163005D8799C84E2F8F87BAD6B5E30295554E08
A42844FC9CB7F80CA49726B3589700FA47BDACF787202D0461C753E7C73CFD2A
C7CCD2AEE0BDDAF0E6C8F68EDBA14064E4A9948981231491A87A277E0047C0CB
http://bit.ly/2Np1enh