RoKRAT Shellcode and Steganographic Threats: Analysis and EDR Response Strategies
Contents
◈ Key Findings
- A new variant of the RoKRAT malware used by the APT37 group has been identified.
- The malware employs a two-stage encrypted shellcode injection method to hinder analysis.
- A steganography technique was discovered in which malicious code is concealed within image files.
- Fileless attacks continue to be used to evade detection by security solutions.
- Efficient EDR monitoring optimized for abnormal endpoint behavior detection is now essential.
1. Overview
Genians Security Center (GSC) has identified a new variant of the malware used by the APT37 group during an ongoing analysis. This threat actor is known for employing a malware strain commonly referred to as RoKRAT. In this case, the attacker utilizes shortcut files with the .lnk extension, embedding Cmd or PowerShell commands within them to carry out the attack.
This type of attack continues to be observed in South Korea, indicating a high level of threat activity. Its persistence suggests that it …
- A new variant of the RoKRAT malware used by the APT37 group has been identified.
- The malware employs a two-stage encrypted shellcode injection method to hinder analysis.
- A steganography technique was discovered in which malicious code is concealed within image files.
- Fileless attacks continue to be used to evade detection by security solutions.
- Efficient EDR monitoring optimized for abnormal endpoint behavior detection is now essential.
1. Overview
Genians Security Center (GSC) has identified a new variant of the malware used by the APT37 group during an ongoing analysis. This threat actor is known for employing a malware strain commonly referred to as RoKRAT. In this case, the attacker utilizes shortcut files with the .lnk extension, embedding Cmd or PowerShell commands within them to carry out the attack.
This type of attack continues to be observed in South Korea, indicating a high level of threat activity. Its persistence suggests that it …
IoC
[email protected]
[email protected]
[email protected]
[email protected]
443a00feeb3beaea02b2fbcd4302a3c9
f6d72abf9ca654a20bbaf23ea1c10a55
32323232323232323232323232323232
325869FF25798BC277BF22DEB1DEB967
fd9099005f133f95a5b699ab30a2f79b
5ed95cde6c29432a4f7dc48602f82734
a2ee8d2aa9f79551eb5dd8f9610ad557
64d729d0290e2c8ceaa6e38fa68e80e9
e4813c34fe2327de1a94c51e630213d1
e13c3a38ca58fb0fa9da753e857dd3d5
ae7e18a62abb7f93b657276dcae985b9
d5fe744b9623a0cc7f0ef6464c5530da
16a8aaaf2e3125668e6bfb1705a065f9
[email protected]
[email protected]
[email protected]
443a00feeb3beaea02b2fbcd4302a3c9
f6d72abf9ca654a20bbaf23ea1c10a55
32323232323232323232323232323232
325869FF25798BC277BF22DEB1DEB967
fd9099005f133f95a5b699ab30a2f79b
5ed95cde6c29432a4f7dc48602f82734
a2ee8d2aa9f79551eb5dd8f9610ad557
64d729d0290e2c8ceaa6e38fa68e80e9
e4813c34fe2327de1a94c51e630213d1
e13c3a38ca58fb0fa9da753e857dd3d5
ae7e18a62abb7f93b657276dcae985b9
d5fe744b9623a0cc7f0ef6464c5530da
16a8aaaf2e3125668e6bfb1705a065f9