Reverse Engineering RokRAT: A Closer Look at APT37's Onedrive-Based Attack Vector
Contents
Reverse Engineering RokRAT: A Closer Look at APT37's Onedrive-Based Attack Vector
Contents
Contents...................................................................................................................................2
Introduction.............................................................................................................................. 3
Who is APT37?........................................................................................................................ 3
Attack Chain.............................................................................................................................4
Technical Analysis....................................................................................................................5
Collecting Victim’s Data......................................................................................................5
Evasion and Anti-Analysis..................................................................................................5
Screenshot......................................................................................................................... 6
Command And Control Server Communication................................................................. 6
Commands Briefly.............................................................................................................. 8
ShellCode Execute....................................................................................................... 8
File Exfiltration.............................................................................................................. 8
Drive Info Enumeration.................................................................................................9
MITRE ATT&CK..................................................................................................................... 10
2
Reverse Engineering RokRAT: A Closer Look at APT37's Onedrive-Based Attack Vector
Introduction
This analysis report presents an investigation into the RokRAT malware, which was
employed as part of a recent cyber attack attributed to APT37 (Advanced Persistent Threat
37). RokRAT is a sophisticated remote access trojan (RAT) that has been observed as a
critical component within the attack chain, enabling the threat actors to gain unauthorized
access, exfiltrate sensitive information, and potentially maintain persistent control over
compromised systems.
This report aims to provide a comprehensive understanding of the RokRAT malware by
examining its attack vector, infection chain, and the techniques employed during the attack.
Additionally, it offers valuable insights into the associated Indicators of Compromise (IOCs),
a YARA rule to aid in detection, and …
Contents
Contents...................................................................................................................................2
Introduction.............................................................................................................................. 3
Who is APT37?........................................................................................................................ 3
Attack Chain.............................................................................................................................4
Technical Analysis....................................................................................................................5
Collecting Victim’s Data......................................................................................................5
Evasion and Anti-Analysis..................................................................................................5
Screenshot......................................................................................................................... 6
Command And Control Server Communication................................................................. 6
Commands Briefly.............................................................................................................. 8
ShellCode Execute....................................................................................................... 8
File Exfiltration.............................................................................................................. 8
Drive Info Enumeration.................................................................................................9
MITRE ATT&CK..................................................................................................................... 10
2
Reverse Engineering RokRAT: A Closer Look at APT37's Onedrive-Based Attack Vector
Introduction
This analysis report presents an investigation into the RokRAT malware, which was
employed as part of a recent cyber attack attributed to APT37 (Advanced Persistent Threat
37). RokRAT is a sophisticated remote access trojan (RAT) that has been observed as a
critical component within the attack chain, enabling the threat actors to gain unauthorized
access, exfiltrate sensitive information, and potentially maintain persistent control over
compromised systems.
This report aims to provide a comprehensive understanding of the RokRAT malware by
examining its attack vector, infection chain, and the techniques employed during the attack.
Additionally, it offers valuable insights into the associated Indicators of Compromise (IOCs),
a YARA rule to aid in detection, and …