ROKRAT
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
ROKRAT can use HTTP and HTTPS for command and control communication.(Citation: Talos ROKRAT)(Citation: NCCGroup RokRat Nov 2018)(Citation: Malwarebytes RokRAT VBA January 2021) |
Enterprise | T1059 | .005 | Command and Scripting Interpreter: Visual Basic |
ROKRAT has used Visual Basic for execution.(Citation: Malwarebytes RokRAT VBA January 2021) |
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
ROKRAT can steal credentials stored in Web browsers by querying the sqlite database.(Citation: Talos Group123) |
.004 | Credentials from Password Stores: Windows Credential Manager |
ROKRAT can steal credentials by leveraging the Windows Vault mechanism.(Citation: Talos Group123) |
||
Enterprise | T1480 | .001 | Execution Guardrails: Environmental Keying |
ROKRAT relies on a specific victim hostname to execute and decrypt important strings.(Citation: Volexity InkySquid RokRAT August 2021) |
Enterprise | T1567 | .002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
ROKRAT can send collected data to cloud storage services such as PCloud.(Citation: Malwarebytes RokRAT VBA January 2021)(Citation: Volexity InkySquid RokRAT August 2021) |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
ROKRAT can request to delete files.(Citation: NCCGroup RokRat Nov 2018) |
Enterprise | T1056 | .001 | Input Capture: Keylogging |
ROKRAT can use `SetWindowsHookEx` and `GetKeyNameText` to capture keystrokes.(Citation: Talos ROKRAT)(Citation: Volexity InkySquid RokRAT August 2021) |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
ROKRAT has been delivered via spearphishing emails that contain a malicious Hangul Office or Microsoft Word document.(Citation: Malwarebytes RokRAT VBA January 2021) |
Enterprise | T1204 | .002 | User Execution: Malicious File |
ROKRAT has relied upon users clicking on a malicious attachment delivered through spearphishing.(Citation: Malwarebytes RokRAT VBA January 2021) |
Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
ROKRAT can check for VMware-related files and DLLs related to sandboxes.(Citation: Talos Group123)(Citation: NCCGroup RokRat Nov 2018)(Citation: Malwarebytes RokRAT VBA January 2021) |
Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
ROKRAT has used legitimate social networking sites and cloud platforms (including but not limited to Twitter, Yandex, Dropbox, and Mediafire) for C2 communications.(Citation: Talos ROKRAT)(Citation: Securelist ScarCruft May 2019)(Citation: Volexity InkySquid RokRAT August 2021) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0067 | APT37 |
(Citation: Talos Group123) (Citation: Securelist ScarCruft May 2019) |
References
- Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.
- Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
- Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
- Mercer, W., Rascagneres, P. (2017, November 28). ROKRAT Reloaded. Retrieved May 21, 2018.
- Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.
- GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
- Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.