Security News > 2021 > January > ALERT: North Korean hackers targeting South Korea with RokRat Trojan

A North Korean hacking group has been found deploying the RokRat Trojan in a new spear-phishing campaign targeting the South Korean government.

Attributing the attack to APT37, Malwarebytes said it identified a malicious document last December that, when opened, executes a macro in memory to install the aforementioned remote access tool.

"The file contains an embedded macro that uses a VBA self decoding technique to decode itself within the memory spaces of Microsoft Office without writing to the disk. It then embeds a variant of the RokRat into Notepad," the researchers noted in a Wednesday analysis.

While the previous attacks leveraged malware-laced Hangul Word Processor documents, the use of self-decoding VBA Office files to deliver RokRat suggests a change in tactics for APT37, the researchers said.

Chief among the responsibilities of the macro embedded in the file is to inject shellcode to a Notepad.exe process that downloads the RokRat payload in encrypted format from a Google Drive URL. RokRat - first publicly documented by Cisco Talos in 2017 - is a RAT of choice for APT37, with the group using it for a number of campaigns since 2016.

"The case we analyzed is one of the few where they did not use HWP files as their phish documents and instead used Microsoft Office documents weaponized with a self decode macro," the researchers concluded.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/yF4TY5O24po/alert-north-korean-hackers-targeting.html