North Korean APT37 Hackers Use VBA Self Decode Technique to Inject RokRat

https://gbhackers.com/north-korean-apt37-hackers/

A North Korean hacking group called ScarCruft, Reaper and Group123 has actually been included in targeting the South Korean government by utilizing a VBA self-decode method to inject RokRat.

What is RokRat?

RokRat is a Remote Access Trojan( RAT) and is an advanced backdoor frequently distributed as an encoded binary file, downloaded and decrypted by shellcode following the exploitation of weaponized files. RokRat is competent at evasion and utilizes multiple strategies to make detection time-consuming and challenging.

The Attack History

On December 7, 2020, a destructive document published to Virus Total was determined. The file pretended to be a meeting request, and it is believed the designated target of the attack was the South Korean government. 23 January 2020 is the conference date discussed in the file and this aligns with the file compilation date of 27 January 2020. This reveals that the attack had actually happened a year back.

The Interesting method how RokRat Attack Works

Scientist thought that this sample is connected with APT37, a thought North Korean cyber espionage group, basis the injected payload. In the past, this APT has actually counted on Hangul Office documents (hwp files) to target victims, as its software application thats typically used in South Korea.

Spear Phishing is a harmful practice that carry out by means of Email projects that hackers investigate their target market, comprehend their likes and dislikes, study their day to day operations, and customize the mail to steal the sensitive data and install malware.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.

U.S. Govt Released Advisory on how Iranian APT Group Obtained Voter Registration Data

Spear phishing was the primary initial infection vector utilized by APT37. An email is sent to the target to weaponize the harmful document.

An embedded macro is included in the harmful file, and this utilizes a VBA self-decoding method to decipher itself within memory areas of Microsoft Office without composing to the disk. It then embeds a version of the RokRat to Notepad when this is done.

Typically Hwp files (Hangul Office) are used to weaponize with a self-decode macro. This time Microsoft Office file have been utilized. In the past too, the RokRat malware has targeted numerous high profile public figures including Donald Trump, Hillary Clinton and several others.

This attack was carried out for political purposes. In this project, the malware was delivered through malspam email projects with fake body content connecting to bank scams.

Read

APT‑C‑23 Hacker Group Attacks Android Users That Records Calls & & Take Pictures Silently

The document pretended to be a conference demand, and it is thought the designated target of the attack was the South Korean federal government. 23 January 2020 is the meeting date pointed out in the document and this lines up with the file collection date of 27 January 2020. Generally Hwp files (Hangul Office) are used to weaponize with a self-decode macro. In the previous too, the RokRat malware has targeted a number of high profile public figures consisting of Donald Trump, Hillary Clinton and numerous others.