ROKRAT is a remote access tool (RAT) used by APT37. This software has been used to target victims in South Korea. APT37 used ROKRAT during several campaigns in 2016 through 2018. [1] [2]

ID: S0240
Platforms: Windows

Version: 1.1

Techniques Used

EnterpriseT1003Credential DumpingROKRAT steals credentials stored in Web browsers by querying the sqlite database and leveraging the Windows Vault mechanism.[2]
EnterpriseT1041Exfiltration Over Command and Control ChannelROKRAT sends collected files back over same C2 channel.[1]
EnterpriseT1056Input CaptureROKRAT uses a keylogger to capture keystrokes and location of where the user is typing.[1]
EnterpriseT1057Process DiscoveryROKRAT lists the current running processes on the system.[1]
EnterpriseT1012Query RegistryROKRAT accesses the HKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosData Registry key to obtain the System manufacturer value to identify the machine type.[2]
EnterpriseT1105Remote File CopyROKRAT retrieves additional malicious payloads from the C2 server.[1]
EnterpriseT1113Screen CaptureROKRAT captures screenshots of the infected system.[1][3]
EnterpriseT1063Security Software DiscoveryROKRAT checks for debugging tools.[2]
EnterpriseT1071Standard Application Layer ProtocolROKRAT use HTTPS for all command and control communication methods.[1]
EnterpriseT1082System Information DiscoveryROKRAT gathers the computer name and checks the OS version to ensure it doesn’t run on a Windows XP or Windows Server 2003 systems.[1][3]
EnterpriseT1497Virtualization/Sandbox EvasionROKRAT checks for sandboxing libraries.[2]
EnterpriseT1102Web ServiceROKRAT leverages legitimate social networking sites and cloud platforms (Twitter, Yandex, and Mediafire) for command and control communications.[1]


Groups that use this software: