1. Home
  2. Software
  3. ROKRAT

ROKRAT

ROKRAT is a cloud-based remote access tool (RAT) used by APT37 to target victims in South Korea. APT37 has used ROKRAT during several campaigns from 2016 through 2021.[1][2][3]

ID: S0240
Type: MALWARE
Platforms: Windows
Version: 2.3
Created: 17 October 2018
Last Modified: 30 March 2022
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

ROKRAT can use HTTP and HTTPS for command and control communication.[1][4][5]
Enterprise T1010 Application Window Discovery

ROKRAT can use the GetForegroundWindow and GetWindowText APIs to discover where the user is typing.[1]
Enterprise T1123 Audio Capture

ROKRAT has an audio capture and eavesdropping module.[6]
Enterprise T1115 Clipboard Data

ROKRAT can extract clipboard data from a compromised host.[3]
Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

ROKRAT has used Visual Basic for execution.[5]
Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

ROKRAT can steal credentials stored in Web browsers by querying the sqlite database.[2]
.004 Credentials from Password Stores: Windows Credential Manager

ROKRAT can steal credentials by leveraging the Windows Vault mechanism.[2]
Enterprise T1005 Data from Local System

ROKRAT can collect host data and specific file types.[4][3][5]
Enterprise T1622 Debugger Evasion

ROKRAT can check for debugging tools.[2][4][5]
Enterprise T1140 Deobfuscate/Decode Files or Information

ROKRAT can decrypt strings using the victim's hostname as the key.[3][5]
Enterprise T1480 .001 Execution Guardrails: Environmental Keying

ROKRAT relies on a specific victim hostname to execute and decrypt important strings.[3]
Enterprise T1041 Exfiltration Over C2 Channel

ROKRAT can send collected files back over same C2 channel.[1]
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

ROKRAT can send collected data to cloud storage services such as PCloud.[5][3]
Enterprise T1083 File and Directory Discovery

ROKRAT has the ability to gather a list of files and directories on the infected system.[6][4][3]
Enterprise T1070 .004 Indicator Removal: File Deletion

ROKRAT can request to delete files.[4]

Enterprise T1105 Ingress Tool Transfer

ROKRAT can retrieve additional malicious payloads from its C2 server.[1][4][3][5]
Enterprise T1056 .001 Input Capture: Keylogging

ROKRAT can use SetWindowsHookEx and GetKeyNameText to capture keystrokes.[1][3]
Enterprise T1112 Modify Registry

ROKRAT can modify the HKEY_CURRENT_USER\Software\Microsoft\Office\ registry key so it can bypass the VB object model (VBOM) on a compromised host.[5]
Enterprise T1106 Native API

ROKRAT can use a variety of API calls to execute shellcode.[5]
Enterprise T1027 Obfuscated Files or Information

ROKRAT can encrypt data prior to exfiltration by using an RSA public key.[3][5]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

ROKRAT has been delivered via spearphishing emails that contain a malicious Hangul Office or Microsoft Word document.[5]
Enterprise T1057 Process Discovery

ROKRAT can list the current running processes on the system.[1][4]
Enterprise T1055 Process Injection

ROKRAT can use VirtualAlloc, WriteProcessMemory, and then CreateRemoteThread to execute shellcode within the address space of Notepad.exe.[5]
Enterprise T1012 Query Registry

ROKRAT can access the HKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosData Registry key to obtain the System manufacturer value to identify the machine type.[2]
Enterprise T1113 Screen Capture

ROKRAT can capture screenshots of the infected system using the gdi32 library.[1][7][6][4][5]
Enterprise T1082 System Information Discovery

ROKRAT can gather the hostname and the OS version to ensure it doesn’t run on a Windows XP or Windows Server 2003 systems.[1][7][6][4][3][5]
Enterprise T1033 System Owner/User Discovery

ROKRAT can collect the username from a compromised host.[5]
Enterprise T1204 .002 User Execution: Malicious File

ROKRAT has relied upon users clicking on a malicious attachment delivered through spearphishing.[5]
Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

ROKRAT can check for VMware-related files and DLLs related to sandboxes.[2][4][5]
Enterprise T1102 .002 Web Service: Bidirectional Communication

ROKRAT has used legitimate social networking sites and cloud platforms (including but not limited to Twitter, Yandex, Dropbox, and Mediafire) for C2 communications.[1][6][3]

Groups That Use This Software

ID Name References
G0067 APT37

[2][6]

References

  1. Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.
  2. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  3. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
  4. Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020.
  1. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.
  2. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
  3. Mercer, W., Rascagneres, P. (2017, November 28). ROKRAT Reloaded. Retrieved May 21, 2018.