Security News > 2021 > January > ALERT: North Korean hackers targeting South Korea with RokRat Trojan
A North Korean hacking group has been found deploying the RokRat Trojan in a new spear-phishing campaign targeting the South Korean government.
Attributing the attack to APT37, Malwarebytes said it identified a malicious document last December that, when opened, executes a macro in memory to install the aforementioned remote access tool.
"The file contains an embedded macro that uses a VBA self decoding technique to decode itself within the memory spaces of Microsoft Office without writing to the disk. It then embeds a variant of the RokRat into Notepad," the researchers noted in a Wednesday analysis.
While the previous attacks leveraged malware-laced Hangul Word Processor documents, the use of self-decoding VBA Office files to deliver RokRat suggests a change in tactics for APT37, the researchers said.
Chief among the responsibilities of the macro embedded in the file is to inject shellcode to a Notepad.exe process that downloads the RokRat payload in encrypted format from a Google Drive URL. RokRat - first publicly documented by Cisco Talos in 2017 - is a RAT of choice for APT37, with the group using it for a number of campaigns since 2016.
"The case we analyzed is one of the few where they did not use HWP files as their phish documents and instead used Microsoft Office documents weaponized with a self decode macro," the researchers concluded.
News URL
Related news
- North Korean govt hackers linked to Play ransomware attack (source)
- North Korean hackers pave the way for Play ransomware (source)
- South Korea Fines Meta $15.67M for Illegally Sharing Sensitive User Data with Advertisers (source)
- North Korean hackers employ new tactics to compromise crypto-related businesses (source)
- North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS (source)
- North Korean hackers use new macOS malware against crypto firms (source)
- North Korean Hackers Target macOS Using Flutter-Embedded Malware (source)
- North Korean hackers create Flutter apps to bypass macOS security (source)
- US charges Phobos ransomware admin after South Korea extradition (source)
- North Korean Hackers Steal $10M with AI-Driven Scams and Malware on LinkedIn (source)