The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Reaper Uses New TTPs to Drop RokRAT

May 15, 2023 2:27:27 PM / by The Hivemind

REAPERRelated Families: CloudMensis, RambleOn

Executive Summary

Reaper was recently observed using new TTPs to drop RokRAT. The infection chain leveraged LNK files delivered via the energy sector and politically themed phishing emails.

Key Takeaways

  • Reaper was recently observed using new TTPs to drop RokRAT. 
  • The infection chain used LNK files to deliver RokRAT.
  • In the campaign, Reaper used cloud storage services for C2. 

What is RokRAT

Check Point reported on RokRAT, a malware family used by Reaper to target entities in South Korea. RokRAT, also known as DogCall, has been in the wild since at least 2017. There is also a Mac variant of RokRAT, known as CloudMensis, and an Android variant, known as RambleOn.

RokRAT is used for credential theft, data exfiltration, capturing screenshots, gathering system information, executing commands and shellcode, and managing files and directories. Reaper often uses cloud storage services for C2.

While RokRAT has not changed much over the years, the TTPs used to deliver it have evolved. Since at least January 2022, Reaper has been using oversized LNK files to deliver RokRAT. These LNK archives are used to initiate a multistage infection chain to bypass macro blocking.

In recently analyzed samples, the LNK file was enveloped in a ZIP archive, along with three benign files, and delivered via a phishing email with an energy sector or politically themed lure. The LNK masquerades as a PDF document. When the LNK is opened, a decoy document is presented to the victim, and a PowerShell is executed. The PowerShell extracts a BAT script from the LNK, then drops it to disk and executes it. The BAT script, in turn, executes another PowerShell, which downloads a payload from the C2. The payload is reflectively injected into the PowerShell and runs as a new thread. The shellcode then decodes the RokRAT part of the payload and executes it.

Who is Reaper?

Reaper, also known as APT37, Inky Squid, RedEyes, ScarCruft, and Ricochet Chollima, is a North Korea nexus threat actor group. Reaper has been active since at least 2012 and typically targets entities in South Korea. However, the group has also been known to target entities in Japan, Vietnam, the Middle East, and elsewhere. Targeted verticals include chemical, electronics, manufacturing, aerospace, automotive, and healthcare. Reaper TTPs include Windows UAC bypass, C2 over HTTPS, SoundWave, Zumkong, a MBR wiper, RiceCurry, Flash exploits, steganography, Freenki, RokRAT, Bluelight, CoralDeck, Final1stspy, HappyWork, Karae, NavRAT, PoorAim, ShutterSpeed, SlowDrift, and WineRack.

IOCs

PolySwarm has multiple samples associated with this activity.

 

f92297c4efabba98befeb992a009462d1aba6f3c3a11210a7c054ff5377f0753

240e7bd805bd7f2d17217dd4cebc03ac37ee60b7fb1264655cfd087749db647a

6753933cd54e4eba497c48d63c7418a8946b4b6c44170105d489d29f1fe11494

12ecabf01508c40cfea1ebc3958214751acfb1cd79a5bf2a4b42ebf172d7381b

0e926d8b6fbf6f14a2a19d4d4af843253f9f5f6de337956a12dde279f3321d78

1e0b5d6b85fca648061fdaf2830c5a90248519e81e78122467c29beeb78daa1e

852607619f1de73d78b4e0de2cc5f37217cfda62bdc339093fb003e202d3d9e3

 

You can use the following CLI command to search for all RokRAT samples in our portal:

$ polyswarm link list -f RokRAT

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

 

Topics: Threat Bulletin, RokRAT, Reaper, Ricochet Chollima, LNK

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More