Threat Analysis: ROKRAT Malware
Contents
Description
ROKRAT (also referred to as DOGcall) is a family of malware that has been used by attackers originating from North Korea. The family continues to evolve and adopt techniques from other families also used by the same attack group. The ROKRAT core payload is typically deployed by a loader, which has also been observed dropping additional families. This blog will document the different phases typically observed when this malware is deployed, as well as the overlap in techniques used by this group.
Carbon Black has been monitoring the use of this and related families, and was requested by a Carbon Black IR partner for a technical write up, which was provided. The technical analysis is also being publicly released to practitioners and researchers to provide additional insight into this malware family, as well as related YARA signatures, and analysis scripts. A Python script was created to extract and decode the embedded …
ROKRAT (also referred to as DOGcall) is a family of malware that has been used by attackers originating from North Korea. The family continues to evolve and adopt techniques from other families also used by the same attack group. The ROKRAT core payload is typically deployed by a loader, which has also been observed dropping additional families. This blog will document the different phases typically observed when this malware is deployed, as well as the overlap in techniques used by this group.
Carbon Black has been monitoring the use of this and related families, and was requested by a Carbon Black IR partner for a technical write up, which was provided. The technical analysis is also being publicly released to practitioners and researchers to provide additional insight into this malware family, as well as related YARA signatures, and analysis scripts. A Python script was created to extract and decode the embedded …