A recent cybersecurity incident has revealed a North Korean hacking group employing the RokRat Trojan in a targeted spear-phishing campaign aimed at the South Korean government. This attack has been attributed to the advanced persistent threat group known as APT37, which is also referred to as Starcruft, Ricochet Chollima, or Reaper.
Malwarebytes reported the analysis of a malicious document discovered in December, which, upon being opened, executes a macro in memory to install the remote access tool. The examination noted that the file contains a VBA macro utilizing a self-decoding technique to operate within the memory of Microsoft Office, thereby avoiding detection on disk storage. This macro subsequently embeds a variant of the RokRat into the Notepad application.
The Reaper APT, believed to be active since at least 2012, primarily targets various sectors within South Korea, including chemicals, electronics, manufacturing, aerospace, automotive, and healthcare. Reports indicate that their victim profile has expanded beyond the Korean Peninsula, including entities in Japan, Vietnam, Russia, Nepal, China, India, and parts of the Middle East.
Notably, this recent campaign marks a shift in tactics from previous attacks, where APT37 typically utilized malware-laden Hangul Word Processor (HWP) documents. The adoption of VBA Office files for delivering the RokRat indicates a strategic evolution in their phishing methods, enhancing their capability to evade static detection mechanisms.
The malicious document, disguised as a meeting request dated January 23, 2020, was uploaded to VirusTotal in December, indicating that the operational timeframe for these attacks may have commenced almost a year prior. The macro’s primary function is to inject shellcode into the Notepad.exe process, facilitating the download of the RokRat payload from a Google Drive URL in an encrypted format.
First introduced by Cisco Talos in 2017, RokRat has become a staple tool for APT37, utilized in numerous campaigns since 2016. As a Windows-based backdoor, it can capture screenshots, log keystrokes, and avoid detection by implementing anti-virtual machine tactics, while harnessing cloud storage APIs like Box, Dropbox, and Yandex.
The evolution of RokRat continues, as evidenced by enhancements introduced in 2019, which allowed for the collection of Bluetooth device information. This capability is part of a broader intelligence-gathering initiative targeting investment and trading firms in Vietnam and Russia, as well as a diplomatic agency in Hong Kong.
The transition from HWP documents to Microsoft Office files weaponized with self-decoding macros signifies a sophisticated approach by APT37, effectively concealing malicious intent while bypassing existing security measures. This incident underscores the need for vigilance among businesses, particularly those in sensitive sectors, as cyber adversaries continue to refine their tactics and techniques.
