RokRAT (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.rokrat (Back to overview)

RokRAT

aka: DOGCALL

Actor(s): APT37

VTCollection

It is a backdoor commonly distributed as an encoded
binary file downloaded and decrypted by shellcode following the
exploitation of weaponized documents. DOGCALL is capable of
capturing screenshots, logging keystrokes, evading analysis with
anti-virtual machine detections, and leveraging cloud storage APIs
such as Cloud, Box, Dropbox, and Yandex.

References

2025-03-01 ⋅ ZW01f ⋅ Mohamed Ezat
An in-depth analysis of APT37’s latest campaign
RokRAT

2025-02-20 ⋅ Cyber Security News ⋅ Balaji N
APT-C-28 Group Launched New Cyber Attack With Fileless RokRat Malware
RokRAT

2024-05-07 ⋅ AhnLab ⋅ ASEC
LNK File Disguised as Certificate Distributing RokRAT Malware
RokRAT

2024-03-04 ⋅ ⋅ Weixin ⋅ Hunting Shadow Lab
Shadow Hunting: Analysis of APT37’s attack activities against South Korea using North Korean political topics
RokRAT

2024-03-01 ⋅ 0x0v1 ⋅ Ovi
APT37's ROKRAT HWP Object Linking and Embedding
RokRAT

2023-06-06 ⋅ Security Intelligence ⋅ Agnes Ramos-Beauchamp, Claire Zaboeva, Joshua Chung, Melissa Frydrych
ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK)
RokRAT

2023-05-01 ⋅ Check Point Research ⋅ Check Point Research
Chain Reaction: RokRAT's Missing Link
Amadey RokRAT

2023-04-26 ⋅ AhnLab ⋅ bghjmun
RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft)
RokRAT

2023-03-23 ⋅ Medium s2wlab ⋅ BLKSMTH, S2W TALON
Scarcruft Bolsters Arsenal for targeting individual Android devices
RambleOn RokRAT

2023-01-01 ⋅ ThreatMon ⋅ Seyit Sigirci (@h3xecute), ThreatMon Malware Research Team
Reverse Engineering RokRAT: A Closer Look at APT37’s Onedrive-Based Attack Vector
RokRAT

2022-09-28 ⋅ Twitter (@ESETresearch) ⋅ ESET Research
Twitter Thread linking CloudMensis to RokRAT / ScarCruft
CloudMensis RokRAT

2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
Moldy Pisces
RokRAT APT37

2022-04-28 ⋅ PWC ⋅ PWC UK
Cyber Threats 2021: A Year in Retrospect (Annex)
Cobalt Strike Conti PlugX RokRAT Inception Framework Red Menshen

2021-08-24 ⋅ Volexity ⋅ Damien Cash, Josh Grunzweig, Steven Adair, Thomas Lancaster
North Korean BLUELIGHT Special: InkySquid Deploys RokRAT
RokRAT

2021-07-14 ⋅ Medium s2wlab ⋅ Jaeki Kim
Matryoshka : Variant of ROKRAT, APT37 (Scarcruft)
RokRAT

2021-02-18 ⋅ PTSecurity ⋅ PTSecurity
https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/
Poet RAT Gravity RAT Ketrican Okrum OopsIE Remcos RogueRobinNET RokRAT SmokeLoader

2021-01-06 ⋅ Malwarebytes ⋅ Hossein Jazi
Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat
RokRAT

2020-06-16 ⋅ IBM ⋅ IBM Security X-Force® Incident Responseand Intelligence Services (IRIS)
Cloud ThreatLandscape Report 2020
QNAPCrypt RokRAT

2020-05-21 ⋅ PICUS Security ⋅ Süleyman Özarslan
T1055 Process Injection
BlackEnergy Cardinal RAT Downdelph Emotet Kazuar RokRAT SOUNDBITE

2020-03-30 ⋅ Kaspersky SAS ⋅ Seongsu Park
Behind the Mask of ScarCruft
RokRAT

2020-03-03 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle

2020-02-19 ⋅ Lexfo ⋅ Lexfo
The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor

2019-08-12 ⋅ Kindred Security ⋅ Kindred Security
An Overview of Public Platform C2’s
HTML5 Encoding LOWBALL Makadocs MiniDuke RogueRobinNET RokRAT

2019-08-01 ⋅ Kaspersky Labs ⋅ GReAT
APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy

2019-05-13 ⋅ Kaspersky Labs ⋅ GReAT
ScarCruft continues to evolve, introduces Bluetooth harvester
Konni RokRAT UACMe APT37

2018-11-16 ⋅ ⋅ Kim Yejun
Return to ROKRAT!! (feat. FAAAA...Sad...)
RokRAT

2018-10-03 ⋅ Intezer ⋅ Jay Rosenberg
APT37: Final1stspy Reaping the FreeMilk
Final1stSpy RokRAT

2018-02-27 ⋅ VMWare Carbon Black ⋅ Jared Myers
Threat Analysis: ROKRAT Malware
RokRAT

2018-02-20 ⋅ FireEye ⋅ FireEye
APT37 (REAPER) The Overlooked North Korean Actor
PoorWeb RokRAT APT37

2018-01-16 ⋅ Cisco Talos ⋅ Paul Rascagnères, Warren Mercer
Korea In The Crosshairs
Freenki Loader RokRAT APT37

2018-01-16 ⋅ Cisco Talos ⋅ Jungsoo An, Paul Rascagnères, Warren Mercer
Korea In The Crosshairs
Freenki Loader PoohMilk Loader RokRAT APT37

2017-11-28 ⋅ Cisco ⋅ Jungsoo An, Paul Rascagnères, Warren Mercer
ROKRAT Reloaded
RokRAT

2017-04-03 ⋅ Cisco Talos ⋅ Matthew Molyett, Paul Rascagnères, Warren Mercer
Introducing ROKRAT
RokRAT

2017-01-01 ⋅ Cisco Talos ⋅ Paul Rascagnères, Warren Mercer
Introducing ROKRAT
RokRAT

Yara Rules

[TLP:WHITE] win_rokrat_auto (20241030 | Detects win.rokrat.)

rule win_rokrat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.rokrat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokrat"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 e8???????? 6a18 33c0 }
            // n = 4, score = 700
            //   50                   | push                eax
            //   e8????????           |                     
            //   6a18                 | push                0x18
            //   33c0                 | xor                 eax, eax

        $sequence_1 = { 50 e8???????? 6a10 33c0 }
            // n = 4, score = 700
            //   50                   | push                eax
            //   e8????????           |                     
            //   6a10                 | push                0x10
            //   33c0                 | xor                 eax, eax

        $sequence_2 = { 50 e8???????? 8d4568 8d4e60 }
            // n = 4, score = 700
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d4568               | lea                 eax, [ebp + 0x68]
            //   8d4e60               | lea                 ecx, [esi + 0x60]

        $sequence_3 = { 6a00 50 8bcb e8???????? 8d4550 }
            // n = 5, score = 700
            //   6a00                 | push                0
            //   50                   | push                eax
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   8d4550               | lea                 eax, [ebp + 0x50]

        $sequence_4 = { 668945d8 e8???????? c645fc03 8b45bc }
            // n = 4, score = 700
            //   668945d8             | mov                 word ptr [ebp - 0x28], ax
            //   e8????????           |                     
            //   c645fc03             | mov                 byte ptr [ebp - 4], 3
            //   8b45bc               | mov                 eax, dword ptr [ebp - 0x44]

        $sequence_5 = { 0fb7c1 50 0fb74208 c1e910 51 50 0fb74212 }
            // n = 7, score = 700
            //   0fb7c1               | movzx               eax, cx
            //   50                   | push                eax
            //   0fb74208             | movzx               eax, word ptr [edx + 8]
            //   c1e910               | shr                 ecx, 0x10
            //   51                   | push                ecx
            //   50                   | push                eax
            //   0fb74212             | movzx               eax, word ptr [edx + 0x12]

        $sequence_6 = { 56 50 8d45f4 64a300000000 c745fc00000000 33c0 }
            // n = 6, score = 700
            //   56                   | push                esi
            //   50                   | push                eax
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   33c0                 | xor                 eax, eax

        $sequence_7 = { 50 ff15???????? e8???????? 40 }
            // n = 4, score = 700
            //   50                   | push                eax
            //   ff15????????         |                     
            //   e8????????           |                     
            //   40                   | inc                 eax

        $sequence_8 = { 50 8bcf e8???????? 8d4538 3bd8 }
            // n = 5, score = 700
            //   50                   | push                eax
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   8d4538               | lea                 eax, [ebp + 0x38]
            //   3bd8                 | cmp                 ebx, eax

        $sequence_9 = { ff15???????? 50 e8???????? 59 6a64 }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   6a64                 | push                0x64

        $sequence_10 = { 897dfc e8???????? 68???????? 8d4dd8 e8???????? }
            // n = 5, score = 200
            //   897dfc               | mov                 dword ptr [ebp - 4], edi
            //   e8????????           |                     
            //   68????????           |                     
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   e8????????           |                     

        $sequence_11 = { c1e004 8b44100c 5d 5b }
            // n = 4, score = 100
            //   c1e004               | shl                 eax, 4
            //   8b44100c             | mov                 eax, dword ptr [eax + edx + 0xc]
            //   5d                   | pop                 ebp
            //   5b                   | pop                 ebx

        $sequence_12 = { c1e006 03048dc03b5500 eb02 8bc2 }
            // n = 4, score = 100
            //   c1e006               | shl                 eax, 6
            //   03048dc03b5500       | add                 eax, dword ptr [ecx*4 + 0x553bc0]
            //   eb02                 | jmp                 4
            //   8bc2                 | mov                 eax, edx

        $sequence_13 = { c1e004 8b441008 85c0 7418 }
            // n = 4, score = 100
            //   c1e004               | shl                 eax, 4
            //   8b441008             | mov                 eax, dword ptr [eax + edx + 8]
            //   85c0                 | test                eax, eax
            //   7418                 | je                  0x1a

        $sequence_14 = { c1e004 8b441004 8d5001 8a08 40 }
            // n = 5, score = 100
            //   c1e004               | shl                 eax, 4
            //   8b441004             | mov                 eax, dword ptr [eax + edx + 4]
            //   8d5001               | lea                 edx, [eax + 1]
            //   8a08                 | mov                 cl, byte ptr [eax]
            //   40                   | inc                 eax

        $sequence_15 = { c1e004 8d0c10 51 e8???????? }
            // n = 4, score = 100
            //   c1e004               | shl                 eax, 4
            //   8d0c10               | lea                 ecx, [eax + edx]
            //   51                   | push                ecx
            //   e8????????           |                     

    condition:
        7 of them and filesize < 2932736
}

Download all Yara Rules

RokRAT Propose Change

References

Yara Rules

RokRAT