ROKRAT is a cloud-based remote access tool (RAT) used by APT37. This software has been used to target victims in South Korea. APT37 used ROKRAT during several campaigns in 2016 through 2018. [1] [2]

ID: S0240
Platforms: Windows
Version: 2.2
Created: 17 October 2018
Last Modified: 23 November 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

ROKRAT use HTTPS for all command and control communication methods.[1][3]

Enterprise T1123 Audio Capture

ROKRAT has a audio capture and eavesdropping module.[4]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

ROKRAT steals credentials stored in Web browsers by querying the sqlite database.[2]

.004 Credentials from Password Stores: Windows Credential Manager

ROKRAT steals credentials by leveraging the Windows Vault mechanism.[2]

Enterprise T1005 Data from Local System

ROKRAT can request to upload collected host data and additional files.[3]

Enterprise T1041 Exfiltration Over C2 Channel

ROKRAT sends collected files back over same C2 channel.[1]

Enterprise T1083 File and Directory Discovery

ROKRAT has the ability to gather a list of files and directories on the infected system.[4][3]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

ROKRAT can request to delete files.[3]

Enterprise T1105 Ingress Tool Transfer

ROKRAT retrieves additional malicious payloads from the C2 server.[1][3]

Enterprise T1056 .001 Input Capture: Keylogging

ROKRAT uses a keylogger to capture keystrokes and location of where the user is typing.[1]

Enterprise T1057 Process Discovery

ROKRAT lists the current running processes on the system.[1][3]

Enterprise T1012 Query Registry

ROKRAT accesses the HKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosData Registry key to obtain the System manufacturer value to identify the machine type.[2]

Enterprise T1113 Screen Capture

ROKRAT captures screenshots of the infected system using the gdi32 library.[1][5][4][3]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

ROKRAT checks for debugging tools.[2][3]

Enterprise T1082 System Information Discovery

ROKRAT gathers the computer name and checks the OS version to ensure it doesn’t run on a Windows XP or Windows Server 2003 systems.[1][5][4][3]

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

ROKRAT checks for sandboxing libraries.[2][3]

Enterprise T1102 .002 Web Service: Bidirectional Communication

ROKRAT leverages legitimate social networking sites and cloud platforms (Twitter, Yandex, and Mediafire) for C2 communications.[1][4]

Groups That Use This Software

ID Name References
G0067 APT37