Related Families: CloudMensis, RambleOn
Executive Summary
Reaper was recently observed using new TTPs to drop RokRAT. The infection chain leveraged LNK files delivered via the energy sector and politically themed phishing emails.
Key Takeaways
- Reaper was recently observed using new TTPs to drop RokRAT.
- The infection chain used LNK files to deliver RokRAT.
- In the campaign, Reaper used cloud storage services for C2.
What is RokRAT
Check Point reported on RokRAT, a malware family used by Reaper to target entities in South Korea. RokRAT, also known as DogCall, has been in the wild since at least 2017. There is also a Mac variant of RokRAT, known as CloudMensis, and an Android variant, known as RambleOn.
RokRAT is used for credential theft, data exfiltration, capturing screenshots, gathering system information, executing commands and shellcode, and managing files and directories. Reaper often uses cloud storage services for C2.
While RokRAT has not changed much over the years, the TTPs used to deliver it have evolved. Since at least January 2022, Reaper has been using oversized LNK files to deliver RokRAT. These LNK archives are used to initiate a multistage infection chain to bypass macro blocking.
In recently analyzed samples, the LNK file was enveloped in a ZIP archive, along with three benign files, and delivered via a phishing email with an energy sector or politically themed lure. The LNK masquerades as a PDF document. When the LNK is opened, a decoy document is presented to the victim, and a PowerShell is executed. The PowerShell extracts a BAT script from the LNK, then drops it to disk and executes it. The BAT script, in turn, executes another PowerShell, which downloads a payload from the C2. The payload is reflectively injected into the PowerShell and runs as a new thread. The shellcode then decodes the RokRAT part of the payload and executes it.
Who is Reaper?
Reaper, also known as APT37, Inky Squid, RedEyes, ScarCruft, and Ricochet Chollima, is a North Korea nexus threat actor group. Reaper has been active since at least 2012 and typically targets entities in South Korea. However, the group has also been known to target entities in Japan, Vietnam, the Middle East, and elsewhere. Targeted verticals include chemical, electronics, manufacturing, aerospace, automotive, and healthcare. Reaper TTPs include Windows UAC bypass, C2 over HTTPS, SoundWave, Zumkong, a MBR wiper, RiceCurry, Flash exploits, steganography, Freenki, RokRAT, Bluelight, CoralDeck, Final1stspy, HappyWork, Karae, NavRAT, PoorAim, ShutterSpeed, SlowDrift, and WineRack.
IOCs
PolySwarm has multiple samples associated with this activity.
f92297c4efabba98befeb992a009462d1aba6f3c3a11210a7c054ff5377f0753
240e7bd805bd7f2d17217dd4cebc03ac37ee60b7fb1264655cfd087749db647a
6753933cd54e4eba497c48d63c7418a8946b4b6c44170105d489d29f1fe11494
12ecabf01508c40cfea1ebc3958214751acfb1cd79a5bf2a4b42ebf172d7381b
0e926d8b6fbf6f14a2a19d4d4af843253f9f5f6de337956a12dde279f3321d78
1e0b5d6b85fca648061fdaf2830c5a90248519e81e78122467c29beeb78daa1e
852607619f1de73d78b4e0de2cc5f37217cfda62bdc339093fb003e202d3d9e3
You can use the following CLI command to search for all RokRAT samples in our portal:
$ polyswarm link list -f RokRAT
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports