The evolution of North Korean Android spyware
Contents
Please note in this article when I mention ROKRAT, I am specifically referring to the Android variant of the malware, and not the malware relating to other operating systems.
Introduction
In December 2022, working with Interlab, we discovered a seemly novel piece of Android spyware that was targeting human rights activists in South Korea. I published a reverse engineering report on the spyware through Interlab's website which you can find here. I called this spyware RambleOn. At the time of writing, I hadn't seen any samples of that nature disclosed anywhere else or within my retro-hunting. Though, it was apparent that many functions and features of the spyware were similar to that of ROKRAT, a malware family attributed to North Korea threat group APT37. After publishing our research, the industry iterated on the findings and brought to light more similarities in RambleOn with historic ROKRAT. In checkpoints report of the Windows ROKRAT …
Introduction
In December 2022, working with Interlab, we discovered a seemly novel piece of Android spyware that was targeting human rights activists in South Korea. I published a reverse engineering report on the spyware through Interlab's website which you can find here. I called this spyware RambleOn. At the time of writing, I hadn't seen any samples of that nature disclosed anywhere else or within my retro-hunting. Though, it was apparent that many functions and features of the spyware were similar to that of ROKRAT, a malware family attributed to North Korea threat group APT37. After publishing our research, the industry iterated on the findings and brought to light more similarities in RambleOn with historic ROKRAT. In checkpoints report of the Windows ROKRAT …
IoC
ㅊ0dadf1240fd097d15dee890d448cfab02d3ef8698bdc44e18f1b5495e500655f
21db3886f23e0829142327e0474349a178c22e57dc7dcbcccec0d770c3ab513c
4a45d78b08f4cd62b9c6013adb6140e02cb102c21f837ca65f6703d237fbf4ac
748f0724c50bb4e494f8e92e495fa8ef6848a83fbdaf4ec606c8fb50c3ce8f51
bded85d7024b6cf86cc9ce45ec851c80cb13790b9c4bd63b0b22b0fb672e9dce
e6a7615d29b287f14ee044cd4e8e786f26709636cffb5f455cf500336ab96810
21db3886f23e0829142327e0474349a178c22e57dc7dcbcccec0d770c3ab513c
4a45d78b08f4cd62b9c6013adb6140e02cb102c21f837ca65f6703d237fbf4ac
748f0724c50bb4e494f8e92e495fa8ef6848a83fbdaf4ec606c8fb50c3ce8f51
bded85d7024b6cf86cc9ce45ec851c80cb13790b9c4bd63b0b22b0fb672e9dce
e6a7615d29b287f14ee044cd4e8e786f26709636cffb5f455cf500336ab96810