SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rokrat (Back to overview)

RokRAT

aka: DOGCALL

Actor(s): APT37


It is a backdoor commonly distributed as an encoded
binary file downloaded and decrypted by shellcode following the
exploitation of weaponized documents. DOGCALL is capable of
capturing screenshots, logging keystrokes, evading analysis with
anti-virtual machine detections, and leveraging cloud storage APIs
such as Cloud, Box, Dropbox, and Yandex.

References
2023-06-06Security IntelligenceJoshua Chung, Melissa Frydrych, Claire Zaboeva, Agnes Ramos-Beauchamp
@online{chung:20230606:itg10:83811e5, author = {Joshua Chung and Melissa Frydrych and Claire Zaboeva and Agnes Ramos-Beauchamp}, title = {{ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK)}}, date = {2023-06-06}, organization = {Security Intelligence}, url = {https://securityintelligence.com/posts/itg10-targeting-south-korean-entities/}, language = {English}, urldate = {2023-06-09} } ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK)
RokRAT
2023-05-01Check Point ResearchCheck Point Research
@online{research:20230501:chain:855e7fa, author = {Check Point Research}, title = {{Chain Reaction: RokRAT's Missing Link}}, date = {2023-05-01}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/}, language = {English}, urldate = {2023-05-02} } Chain Reaction: RokRAT's Missing Link
Amadey RokRAT
2023-04-26AhnLabbghjmun
@online{bghjmun:20230426:rokrat:e241546, author = {bghjmun}, title = {{RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft)}}, date = {2023-04-26}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/51751/}, language = {English}, urldate = {2023-04-26} } RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft)
RokRAT
2023-03-23Medium s2wlabBLKSMTH, S2W TALON
@online{blksmth:20230323:scarcruft:82ba4d6, author = {BLKSMTH and S2W TALON}, title = {{Scarcruft Bolsters Arsenal for targeting individual Android devices}}, date = {2023-03-23}, organization = {Medium s2wlab}, url = {https://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab}, language = {English}, urldate = {2023-03-27} } Scarcruft Bolsters Arsenal for targeting individual Android devices
RambleOn RokRAT
2022-09-28Twitter (@ESETresearch)ESET Research
@online{research:20220928:twitter:e0277dd, author = {ESET Research}, title = {{Twitter Thread linking CloudMensis to RokRAT / ScarCruft}}, date = {2022-09-28}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1575103839115804672}, language = {English}, urldate = {2023-03-24} } Twitter Thread linking CloudMensis to RokRAT / ScarCruft
CloudMensis RokRAT
2022-07-18Palo Alto Networks Unit 42Unit 42
@online{42:20220718:moldy:593ab77, author = {Unit 42}, title = {{Moldy Pisces}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/moldypisces/}, language = {English}, urldate = {2022-07-29} } Moldy Pisces
RokRAT APT37
2022-04-28PWCPWC UK
@techreport{uk:20220428:cyber:c43873f, author = {PWC UK}, title = {{Cyber Threats 2021: A Year in Retrospect (Annex)}}, date = {2022-04-28}, institution = {PWC}, url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf}, language = {English}, urldate = {2022-04-29} } Cyber Threats 2021: A Year in Retrospect (Annex)
Cobalt Strike Conti PlugX RokRAT Inception Framework Red Menshen
2021-08-24VolexityDamien Cash, Josh Grunzweig, Steven Adair, Thomas Lancaster
@online{cash:20210824:north:aab532f, author = {Damien Cash and Josh Grunzweig and Steven Adair and Thomas Lancaster}, title = {{North Korean BLUELIGHT Special: InkySquid Deploys RokRAT}}, date = {2021-08-24}, organization = {Volexity}, url = {https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/}, language = {English}, urldate = {2021-08-31} } North Korean BLUELIGHT Special: InkySquid Deploys RokRAT
RokRAT
2021-07-14Medium s2wlabJaeki Kim
@online{kim:20210714:matryoshka:6c8d267, author = {Jaeki Kim}, title = {{Matryoshka : Variant of ROKRAT, APT37 (Scarcruft)}}, date = {2021-07-14}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/matryoshka-variant-of-rokrat-apt37-scarcruft-69774ea7bf48}, language = {English}, urldate = {2021-07-20} } Matryoshka : Variant of ROKRAT, APT37 (Scarcruft)
RokRAT
2021-02-18PTSecurityPTSecurity
@online{ptsecurity:20210218:httpswwwptsecuritycomwwenanalyticsantisandboxtechniques:d616c1f, author = {PTSecurity}, title = {{https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/}}, date = {2021-02-18}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/}, language = {English}, urldate = {2021-02-25} } https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/
Poet RAT Gravity RAT Ketrican Okrum OopsIE Remcos RogueRobinNET RokRAT SmokeLoader
2021-01-06MalwarebytesHossein Jazi
@online{jazi:20210106:retrohunting:65f1492, author = {Hossein Jazi}, title = {{Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat}}, date = {2021-01-06}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/}, language = {English}, urldate = {2021-01-11} } Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat
RokRAT
2020-06-16IBMIBM Security X-Force® Incident Responseand Intelligence Services (IRIS)
@online{iris:20200616:cloud:e15a0d5, author = {IBM Security X-Force® Incident Responseand Intelligence Services (IRIS)}, title = {{Cloud ThreatLandscape Report 2020}}, date = {2020-06-16}, organization = {IBM}, url = {https://www.ibm.com/downloads/cas/Z81AVOY7}, language = {English}, urldate = {2020-06-17} } Cloud ThreatLandscape Report 2020
QNAPCrypt RokRAT
2020-05-21PICUS SecuritySüleyman Özarslan
@online{zarslan:20200521:t1055:4400f98, author = {Süleyman Özarslan}, title = {{T1055 Process Injection}}, date = {2020-05-21}, organization = {PICUS Security}, url = {https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection}, language = {English}, urldate = {2020-06-03} } T1055 Process Injection
BlackEnergy Cardinal RAT Downdelph Emotet Kazuar RokRAT SOUNDBITE
2020-03-30Kaspersky SASSeongsu Park
@techreport{park:20200330:behind:7c5548e, author = {Seongsu Park}, title = {{Behind the Mask of ScarCruft}}, date = {2020-03-30}, institution = {Kaspersky SAS}, url = {https://github.com/ssp4rk/slides/blob/master/2019SAS_Behind_of_the_Mask_of_ScarCruft.pdf}, language = {English}, urldate = {2020-03-31} } Behind the Mask of ScarCruft
RokRAT
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2019-08-12Kindred SecurityKindred Security
@online{security:20190812:overview:0726c0a, author = {Kindred Security}, title = {{An Overview of Public Platform C2’s}}, date = {2019-08-12}, organization = {Kindred Security}, url = {https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/}, language = {English}, urldate = {2021-07-20} } An Overview of Public Platform C2’s
HTML5 Encoding LOWBALL Makadocs MiniDuke RogueRobinNET RokRAT
2019-08-01Kaspersky LabsGReAT
@online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy
2019-05-13Kaspersky LabsGReAT
@online{great:20190513:scarcruft:eb8bb1c, author = {GReAT}, title = {{ScarCruft continues to evolve, introduces Bluetooth harvester}}, date = {2019-05-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/}, language = {English}, urldate = {2019-12-20} } ScarCruft continues to evolve, introduces Bluetooth harvester
Konni RokRAT UACMe APT37
2018-11-16Kim Yejun
@online{yejun:20181116:return:31caa6a, author = {Kim Yejun}, title = {{Return to ROKRAT!! (feat. FAAAA...Sad...)}}, date = {2018-11-16}, url = {http://v3lo.tistory.com/24}, language = {Japanese}, urldate = {2019-11-26} } Return to ROKRAT!! (feat. FAAAA...Sad...)
RokRAT
2018-10-03IntezerJay Rosenberg
@online{rosenberg:20181003:apt37:93a9100, author = {Jay Rosenberg}, title = {{APT37: Final1stspy Reaping the FreeMilk}}, date = {2018-10-03}, organization = {Intezer}, url = {https://www.intezer.com/apt37-final1stspy-reaping-the-freemilk/}, language = {English}, urldate = {2020-01-09} } APT37: Final1stspy Reaping the FreeMilk
Final1stSpy RokRAT
2018-02-27VMWare Carbon BlackJared Myers
@online{myers:20180227:threat:11a58a0, author = {Jared Myers}, title = {{Threat Analysis: ROKRAT Malware}}, date = {2018-02-27}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/}, language = {English}, urldate = {2019-10-23} } Threat Analysis: ROKRAT Malware
RokRAT
2018-02-20FireEyeFireEye
@techreport{fireeye:20180220:apt37:bc54ada, author = {FireEye}, title = {{APT37 (REAPER) The Overlooked North Korean Actor}}, date = {2018-02-20}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf}, language = {English}, urldate = {2021-11-03} } APT37 (REAPER) The Overlooked North Korean Actor
PoorWeb RokRAT APT37
2018-01-16Cisco TalosWarren Mercer, Paul Rascagnères
@online{mercer:20180116:korea:02f4c3c, author = {Warren Mercer and Paul Rascagnères}, title = {{Korea In The Crosshairs}}, date = {2018-01-16}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html}, language = {English}, urldate = {2020-04-06} } Korea In The Crosshairs
Freenki Loader RokRAT APT37
2018-01-16Cisco TalosWarren Mercer, Paul Rascagnères, Jungsoo An
@online{mercer:20180116:korea:f462331, author = {Warren Mercer and Paul Rascagnères and Jungsoo An}, title = {{Korea In The Crosshairs}}, date = {2018-01-16}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html}, language = {English}, urldate = {2020-01-06} } Korea In The Crosshairs
Freenki Loader PoohMilk Loader RokRAT APT37
2017-11-28CiscoWarren Mercer, Paul Rascagnères, Jungsoo An
@online{mercer:20171128:rokrat:dec34fb, author = {Warren Mercer and Paul Rascagnères and Jungsoo An}, title = {{ROKRAT Reloaded}}, date = {2017-11-28}, organization = {Cisco}, url = {http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html}, language = {English}, urldate = {2019-11-22} } ROKRAT Reloaded
RokRAT
2017-04-03Cisco TalosWarren Mercer, Paul Rascagnères, Matthew Molyett
@online{mercer:20170403:introducing:d17f359, author = {Warren Mercer and Paul Rascagnères and Matthew Molyett}, title = {{Introducing ROKRAT}}, date = {2017-04-03}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/04/introducing-rokrat.html}, language = {English}, urldate = {2020-01-09} } Introducing ROKRAT
RokRAT
2017Cisco TalosWarren Mercer, Paul Rascagnères
@techreport{mercer:2017:introducing:04e2ff1, author = {Warren Mercer and Paul Rascagnères}, title = {{Introducing ROKRAT}}, date = {2017}, institution = {Cisco Talos}, url = {http://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/002/191/original/Talos_RokRatWhitePaper.pdf}, language = {English}, urldate = {2019-12-20} } Introducing ROKRAT
RokRAT
Yara Rules
[TLP:WHITE] win_rokrat_auto (20230715 | Detects win.rokrat.)
rule win_rokrat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.rokrat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokrat"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 e8???????? 6a04 33c0 }
            // n = 4, score = 700
            //   50                   | push                eax
            //   e8????????           |                     
            //   6a04                 | push                4
            //   33c0                 | xor                 eax, eax

        $sequence_1 = { 56 50 8d45f4 64a300000000 c745fc00000000 33c0 }
            // n = 6, score = 700
            //   56                   | push                esi
            //   50                   | push                eax
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   33c0                 | xor                 eax, eax

        $sequence_2 = { 50 e8???????? 8d8e0c010000 8d4550 3bc8 }
            // n = 5, score = 700
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d8e0c010000         | lea                 ecx, [esi + 0x10c]
            //   8d4550               | lea                 eax, [ebp + 0x50]
            //   3bc8                 | cmp                 ecx, eax

        $sequence_3 = { 0fb7c1 50 0fb74208 c1e910 }
            // n = 4, score = 700
            //   0fb7c1               | movzx               eax, cx
            //   50                   | push                eax
            //   0fb74208             | movzx               eax, word ptr [edx + 8]
            //   c1e910               | shr                 ecx, 0x10

        $sequence_4 = { 8ad0 8d4dd8 e8???????? c745fc06000000 }
            // n = 4, score = 700
            //   8ad0                 | mov                 dl, al
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   e8????????           |                     
            //   c745fc06000000       | mov                 dword ptr [ebp - 4], 6

        $sequence_5 = { 56 8d4dc0 c745d000000000 668945c0 e8???????? c645fc03 8b45bc }
            // n = 7, score = 700
            //   56                   | push                esi
            //   8d4dc0               | lea                 ecx, [ebp - 0x40]
            //   c745d000000000       | mov                 dword ptr [ebp - 0x30], 0
            //   668945c0             | mov                 word ptr [ebp - 0x40], ax
            //   e8????????           |                     
            //   c645fc03             | mov                 byte ptr [ebp - 4], 3
            //   8b45bc               | mov                 eax, dword ptr [ebp - 0x44]

        $sequence_6 = { 50 e8???????? 8d4568 8d4e60 }
            // n = 4, score = 700
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d4568               | lea                 eax, [ebp + 0x68]
            //   8d4e60               | lea                 ecx, [esi + 0x60]

        $sequence_7 = { 50 ff15???????? e8???????? 40 }
            // n = 4, score = 700
            //   50                   | push                eax
            //   ff15????????         |                     
            //   e8????????           |                     
            //   40                   | inc                 eax

        $sequence_8 = { 50 e8???????? 6a10 33c0 }
            // n = 4, score = 700
            //   50                   | push                eax
            //   e8????????           |                     
            //   6a10                 | push                0x10
            //   33c0                 | xor                 eax, eax

        $sequence_9 = { ff15???????? 50 e8???????? 59 6a64 }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   6a64                 | push                0x64

        $sequence_10 = { 897dfc e8???????? 68???????? 8d4dd8 }
            // n = 4, score = 200
            //   897dfc               | mov                 dword ptr [ebp - 4], edi
            //   e8????????           |                     
            //   68????????           |                     
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]

        $sequence_11 = { bf???????? c744243401000000 8b4e58 3b8174030000 }
            // n = 4, score = 100
            //   bf????????           |                     
            //   c744243401000000     | mov                 dword ptr [esp + 0x34], 1
            //   8b4e58               | mov                 ecx, dword ptr [esi + 0x58]
            //   3b8174030000         | cmp                 eax, dword ptr [ecx + 0x374]

        $sequence_12 = { bfc0010000 eb0d 33c0 68???????? }
            // n = 4, score = 100
            //   bfc0010000           | mov                 edi, 0x1c0
            //   eb0d                 | jmp                 0xf
            //   33c0                 | xor                 eax, eax
            //   68????????           |                     

        $sequence_13 = { bf???????? 8b4c2424 8d41ff 83f81d 0f87b6030000 0fb680e4664b00 }
            // n = 6, score = 100
            //   bf????????           |                     
            //   8b4c2424             | mov                 ecx, dword ptr [esp + 0x24]
            //   8d41ff               | lea                 eax, [ecx - 1]
            //   83f81d               | cmp                 eax, 0x1d
            //   0f87b6030000         | ja                  0x3bc
            //   0fb680e4664b00       | movzx               eax, byte ptr [eax + 0x4b66e4]

        $sequence_14 = { bf???????? c7442410102c5000 7504 897c2410 }
            // n = 4, score = 100
            //   bf????????           |                     
            //   c7442410102c5000     | mov                 dword ptr [esp + 0x10], 0x502c10
            //   7504                 | jne                 6
            //   897c2410             | mov                 dword ptr [esp + 0x10], edi

        $sequence_15 = { bf???????? 833cf56c4c540001 751e 8d04f5684c5400 8938 68a00f0000 }
            // n = 6, score = 100
            //   bf????????           |                     
            //   833cf56c4c540001     | cmp                 dword ptr [esi*8 + 0x544c6c], 1
            //   751e                 | jne                 0x20
            //   8d04f5684c5400       | lea                 eax, [esi*8 + 0x544c68]
            //   8938                 | mov                 dword ptr [eax], edi
            //   68a00f0000           | push                0xfa0

    condition:
        7 of them and filesize < 2932736
}
Download all Yara Rules