RokRAT (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.rokrat (Back to overview)

RokRAT

aka: DOGCALL

Actor(s): APT37

VTCollection

It is a backdoor commonly distributed as an encoded
binary file downloaded and decrypted by shellcode following the
exploitation of weaponized documents. DOGCALL is capable of
capturing screenshots, logging keystrokes, evading analysis with
anti-virtual machine detections, and leveraging cloud storage APIs
such as Cloud, Box, Dropbox, and Yandex.

References

2024-03-04 ⋅ ⋅ Weixin ⋅ Hunting Shadow Lab
Shadow Hunting: Analysis of APT37’s attack activities against South Korea using North Korean political topics
RokRAT

2024-03-01 ⋅ 0x0v1 ⋅ Ovi
APT37's ROKRAT HWP Object Linking and Embedding
RokRAT

2023-06-06 ⋅ Security Intelligence ⋅ Agnes Ramos-Beauchamp, Claire Zaboeva, Joshua Chung, Melissa Frydrych
ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK)
RokRAT

2023-05-01 ⋅ Check Point Research ⋅ Check Point Research
Chain Reaction: RokRAT's Missing Link
Amadey RokRAT

2023-04-26 ⋅ AhnLab ⋅ bghjmun
RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft)
RokRAT

2023-03-23 ⋅ Medium s2wlab ⋅ BLKSMTH, S2W TALON
Scarcruft Bolsters Arsenal for targeting individual Android devices
RambleOn RokRAT

2023-01-01 ⋅ ThreatMon ⋅ Seyit Sigirci (@h3xecute), ThreatMon Malware Research Team
Reverse Engineering RokRAT: A Closer Look at APT37’s Onedrive-Based Attack Vector
RokRAT

2022-09-28 ⋅ Twitter (@ESETresearch) ⋅ ESET Research
Twitter Thread linking CloudMensis to RokRAT / ScarCruft
CloudMensis RokRAT

2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
Moldy Pisces
RokRAT APT37

2022-04-28 ⋅ PWC ⋅ PWC UK
Cyber Threats 2021: A Year in Retrospect (Annex)
Cobalt Strike Conti PlugX RokRAT Inception Framework Red Menshen

2021-08-24 ⋅ Volexity ⋅ Damien Cash, Josh Grunzweig, Steven Adair, Thomas Lancaster
North Korean BLUELIGHT Special: InkySquid Deploys RokRAT
RokRAT

2021-07-14 ⋅ Medium s2wlab ⋅ Jaeki Kim
Matryoshka : Variant of ROKRAT, APT37 (Scarcruft)
RokRAT

2021-02-18 ⋅ PTSecurity ⋅ PTSecurity
https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/
Poet RAT Gravity RAT Ketrican Okrum OopsIE Remcos RogueRobinNET RokRAT SmokeLoader

2021-01-06 ⋅ Malwarebytes ⋅ Hossein Jazi
Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat
RokRAT

2020-06-16 ⋅ IBM ⋅ IBM Security X-Force® Incident Responseand Intelligence Services (IRIS)
Cloud ThreatLandscape Report 2020
QNAPCrypt RokRAT

2020-05-21 ⋅ PICUS Security ⋅ Süleyman Özarslan
T1055 Process Injection
BlackEnergy Cardinal RAT Downdelph Emotet Kazuar RokRAT SOUNDBITE

2020-03-30 ⋅ Kaspersky SAS ⋅ Seongsu Park
Behind the Mask of ScarCruft
RokRAT

2020-03-03 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle

2020-02-19 ⋅ Lexfo ⋅ Lexfo
The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor

2019-08-12 ⋅ Kindred Security ⋅ Kindred Security
An Overview of Public Platform C2’s
HTML5 Encoding LOWBALL Makadocs MiniDuke RogueRobinNET RokRAT

2019-08-01 ⋅ Kaspersky Labs ⋅ GReAT
APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy

2019-05-13 ⋅ Kaspersky Labs ⋅ GReAT
ScarCruft continues to evolve, introduces Bluetooth harvester
Konni RokRAT UACMe APT37

2018-11-16 ⋅ ⋅ Kim Yejun
Return to ROKRAT!! (feat. FAAAA...Sad...)
RokRAT

2018-10-03 ⋅ Intezer ⋅ Jay Rosenberg
APT37: Final1stspy Reaping the FreeMilk
Final1stSpy RokRAT

2018-02-27 ⋅ VMWare Carbon Black ⋅ Jared Myers
Threat Analysis: ROKRAT Malware
RokRAT

2018-02-20 ⋅ FireEye ⋅ FireEye
APT37 (REAPER) The Overlooked North Korean Actor
PoorWeb RokRAT APT37

2018-01-16 ⋅ Cisco Talos ⋅ Paul Rascagnères, Warren Mercer
Korea In The Crosshairs
Freenki Loader RokRAT APT37

2018-01-16 ⋅ Cisco Talos ⋅ Jungsoo An, Paul Rascagnères, Warren Mercer
Korea In The Crosshairs
Freenki Loader PoohMilk Loader RokRAT APT37

2017-11-28 ⋅ Cisco ⋅ Jungsoo An, Paul Rascagnères, Warren Mercer
ROKRAT Reloaded
RokRAT

2017-04-03 ⋅ Cisco Talos ⋅ Matthew Molyett, Paul Rascagnères, Warren Mercer
Introducing ROKRAT
RokRAT

2017-01-01 ⋅ Cisco Talos ⋅ Paul Rascagnères, Warren Mercer
Introducing ROKRAT
RokRAT

Yara Rules

[TLP:WHITE] win_rokrat_auto (20230808 | Detects win.rokrat.)

rule win_rokrat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.rokrat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokrat"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 e8???????? 6a04 33c0 }
            // n = 4, score = 700
            //   50                   | push                eax
            //   e8????????           |                     
            //   6a04                 | push                4
            //   33c0                 | xor                 eax, eax

        $sequence_1 = { 50 8bcf e8???????? 8d4538 3bd8 }
            // n = 5, score = 700
            //   50                   | push                eax
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   8d4538               | lea                 eax, [ebp + 0x38]
            //   3bd8                 | cmp                 ebx, eax

        $sequence_2 = { 50 0fb74208 c1e910 51 50 }
            // n = 5, score = 700
            //   50                   | push                eax
            //   0fb74208             | movzx               eax, word ptr [edx + 8]
            //   c1e910               | shr                 ecx, 0x10
            //   51                   | push                ecx
            //   50                   | push                eax

        $sequence_3 = { 50 8bcb e8???????? 8d4550 }
            // n = 4, score = 700
            //   50                   | push                eax
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   8d4550               | lea                 eax, [ebp + 0x50]

        $sequence_4 = { 50 e8???????? 8d8edc000000 8d4520 }
            // n = 4, score = 700
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d8edc000000         | lea                 ecx, [esi + 0xdc]
            //   8d4520               | lea                 eax, [ebp + 0x20]

        $sequence_5 = { 56 8d4dc0 c745d000000000 668945c0 e8???????? c645fc03 8b45bc }
            // n = 7, score = 700
            //   56                   | push                esi
            //   8d4dc0               | lea                 ecx, [ebp - 0x40]
            //   c745d000000000       | mov                 dword ptr [ebp - 0x30], 0
            //   668945c0             | mov                 word ptr [ebp - 0x40], ax
            //   e8????????           |                     
            //   c645fc03             | mov                 byte ptr [ebp - 4], 3
            //   8b45bc               | mov                 eax, dword ptr [ebp - 0x44]

        $sequence_6 = { 50 ff15???????? e8???????? 40 }
            // n = 4, score = 700
            //   50                   | push                eax
            //   ff15????????         |                     
            //   e8????????           |                     
            //   40                   | inc                 eax

        $sequence_7 = { 51 50 0fb74212 50 }
            // n = 4, score = 700
            //   51                   | push                ecx
            //   50                   | push                eax
            //   0fb74212             | movzx               eax, word ptr [edx + 0x12]
            //   50                   | push                eax

        $sequence_8 = { 770a 68???????? e8???????? 837e1408 }
            // n = 4, score = 700
            //   770a                 | ja                  0xc
            //   68????????           |                     
            //   e8????????           |                     
            //   837e1408             | cmp                 dword ptr [esi + 0x14], 8

        $sequence_9 = { ff15???????? 50 e8???????? 59 6a64 }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   6a64                 | push                0x64

        $sequence_10 = { 897dfc e8???????? 68???????? 8d4dd8 }
            // n = 4, score = 200
            //   897dfc               | mov                 dword ptr [ebp - 4], edi
            //   e8????????           |                     
            //   68????????           |                     
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]

        $sequence_11 = { c145f41e 8b5dfc 8db4339979825a 8975fc }
            // n = 4, score = 100
            //   c145f41e             | rol                 dword ptr [ebp - 0xc], 0x1e
            //   8b5dfc               | mov                 ebx, dword ptr [ebp - 4]
            //   8db4339979825a       | lea                 esi, [ebx + esi + 0x5a827999]
            //   8975fc               | mov                 dword ptr [ebp - 4], esi

        $sequence_12 = { c145f01e 8db4339979825a 8975f4 8b772c }
            // n = 4, score = 100
            //   c145f01e             | rol                 dword ptr [ebp - 0x10], 0x1e
            //   8db4339979825a       | lea                 esi, [ebx + esi + 0x5a827999]
            //   8975f4               | mov                 dword ptr [ebp - 0xc], esi
            //   8b772c               | mov                 esi, dword ptr [edi + 0x2c]

        $sequence_13 = { c145f41e 8d9c3bd6c162ca 8b792c 337924 }
            // n = 4, score = 100
            //   c145f41e             | rol                 dword ptr [ebp - 0xc], 0x1e
            //   8d9c3bd6c162ca       | lea                 ebx, [ebx + edi - 0x359d3e2a]
            //   8b792c               | mov                 edi, dword ptr [ecx + 0x2c]
            //   337924               | xor                 edi, dword ptr [ecx + 0x24]

        $sequence_14 = { c145f41e 8d8c0bdcbc1b8f 894dfc 8bca }
            // n = 4, score = 100
            //   c145f41e             | rol                 dword ptr [ebp - 0xc], 0x1e
            //   8d8c0bdcbc1b8f       | lea                 ecx, [ebx + ecx - 0x70e44324]
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   8bca                 | mov                 ecx, edx

        $sequence_15 = { c145f41e 8d9c1fd6c162ca 8b793c 337930 }
            // n = 4, score = 100
            //   c145f41e             | rol                 dword ptr [ebp - 0xc], 0x1e
            //   8d9c1fd6c162ca       | lea                 ebx, [edi + ebx - 0x359d3e2a]
            //   8b793c               | mov                 edi, dword ptr [ecx + 0x3c]
            //   337930               | xor                 edi, dword ptr [ecx + 0x30]

    condition:
        7 of them and filesize < 2932736
}

Download all Yara Rules

RokRAT Propose Change

References

Yara Rules

RokRAT