1. Home
  2. Software
  3. ROKRAT

ROKRAT

ROKRAT is a cloud-based remote access tool (RAT) used by APT37 to target victims in South Korea. APT37 has used ROKRAT during several campaigns from 2016 through 2021.[1][2][3]

ID: S0240
Type: MALWARE
Platforms: Windows
Version: 2.3
Created: 17 October 2018
Last Modified: 30 March 2022
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1555 .003 从密码存储中获取凭证: Credentials from Web Browsers

ROKRAT can steal credentials stored in Web browsers by querying the sqlite database.[2]
.004 从密码存储中获取凭证: Windows Credential Manager

ROKRAT can steal credentials by leveraging the Windows Vault mechanism.[2]
Enterprise T1005 从本地系统获取数据

ROKRAT can collect host data and specific file types.[4][3][5]
Enterprise T1112 修改注册表

ROKRAT can modify the HKEY_CURRENT_USER\Software\Microsoft\Office\ registry key so it can bypass the VB object model (VBOM) on a compromised host.[5]
Enterprise T1115 剪贴板数据

ROKRAT can extract clipboard data from a compromised host.[3]
Enterprise T1140 反混淆/解码文件或信息

ROKRAT can decrypt strings using the victim's hostname as the key.[3][5]
Enterprise T1059 .005 命令与脚本解释器: Visual Basic

ROKRAT has used Visual Basic for execution.[5]
Enterprise T1113 屏幕捕获

ROKRAT can capture screenshots of the infected system using the gdi32 library.[1][6][7][4][5]
Enterprise T1071 .001 应用层协议: Web Protocols

ROKRAT can use HTTP and HTTPS for command and control communication.[1][4][5]
Enterprise T1010 应用窗口发现

ROKRAT can use the GetForegroundWindow and GetWindowText APIs to discover where the user is typing.[1]
Enterprise T1480 .001 执行保护: Environmental Keying

ROKRAT relies on a specific victim hostname to execute and decrypt important strings.[3]
Enterprise T1083 文件和目录发现

ROKRAT has the ability to gather a list of files and directories on the infected system.[7][4][3]
Enterprise T1106 本机API

ROKRAT can use a variety of API calls to execute shellcode.[5]
Enterprise T1012 查询注册表

ROKRAT can access the HKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosData Registry key to obtain the System manufacturer value to identify the machine type.[2]
Enterprise T1027 混淆文件或信息

ROKRAT can encrypt data prior to exfiltration by using an RSA public key.[3][5]
Enterprise T1204 .002 用户执行: Malicious File

ROKRAT has relied upon users clicking on a malicious attachment delivered through spearphishing.[5]
Enterprise T1070 .004 移除指标: File Deletion

ROKRAT can request to delete files.[4]

Enterprise T1082 系统信息发现

ROKRAT can gather the hostname and the OS version to ensure it doesn’t run on a Windows XP or Windows Server 2003 systems.[1][6][7][4][3][5]
Enterprise T1033 系统所有者/用户发现

ROKRAT can collect the username from a compromised host.[5]
Enterprise T1102 .002 网络服务: Bidirectional Communication

ROKRAT has used legitimate social networking sites and cloud platforms (including but not limited to Twitter, Yandex, Dropbox, and Mediafire) for C2 communications.[1][7][3]
Enterprise T1497 .001 虚拟化/沙盒规避: System Checks

ROKRAT can check for VMware-related files and DLLs related to sandboxes.[2][4][5]
Enterprise T1622 调试器规避

ROKRAT can check for debugging tools.[2][4][5]
Enterprise T1105 输入工具传输

ROKRAT can retrieve additional malicious payloads from its C2 server.[1][4][3][5]
Enterprise T1056 .001 输入捕获: Keylogging

ROKRAT can use SetWindowsHookEx and GetKeyNameText to capture keystrokes.[1][3]
Enterprise T1057 进程发现

ROKRAT can list the current running processes on the system.[1][4]
Enterprise T1055 进程注入

ROKRAT can use VirtualAlloc, WriteProcessMemory, and then CreateRemoteThread to execute shellcode within the address space of Notepad.exe.[5]
Enterprise T1041 通过C2信道渗出

ROKRAT can send collected files back over same C2 channel.[1]
Enterprise T1567 .002 通过网络服务渗出: Exfiltration to Cloud Storage

ROKRAT can send collected data to cloud storage services such as PCloud.[5][3]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

ROKRAT has been delivered via spearphishing emails that contain a malicious Hangul Office or Microsoft Word document.[5]
Enterprise T1123 音频捕获

ROKRAT has an audio capture and eavesdropping module.[7]

Groups That Use This Software

ID Name References
G0067 APT37

[2][7]

References

  1. Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.
  2. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  3. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
  4. Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020.
  1. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.
  2. Mercer, W., Rascagneres, P. (2017, November 28). ROKRAT Reloaded. Retrieved May 21, 2018.
  3. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.