ROKRAT, a new remote access tool is recently identified by Cisco Talos who report it utilizing a bevy of anti-detection measures and targeting mainly the Korean language Microsoft Word alternative Hangul Work Processor (HWP). Researches report this malware a part of a phishing campaign by malware actor leveraging vicious email attachments. The sole objective of crooks behind the development of aforementioned infection is to gain complete control over the compromised PC. It primarily victimizes the computer systems of South Korean users in the public sector.
The threat actor in the case of ROKRAT, sent phishing messages from an email address tied to South Korea’s Yonsei University on the topic of an upcoming and fictitious ‘Korean Reunification and North Korean Conference’. Additionally the attackers have been notified compromising an authentic email address of a big forum powered by a university in Seoul to send out spear phishing email. The basic purpose of crooks behind providing the victims with such emails is to trick them into opening the attachments for providing feedback to conference organizers. Here, the phishing emails have been notified including two distinct HWP documents composed by OLE objects which in this case do embed EPS (i.e., Encapsulated Postscript) object.
Here, the sole intention of crooks behind utilizing EPS is to exploit a well-known vulnerability (i.e., CVE-2013-0808) for downloading a binary identified as a .jpg file. This file gets decoded and then finally an executable is launched i.e., ‘ROKRAT’. Though the working skills of EPS was undoubtedly highly remarkable but yet a flaw got detected in it in 2013 as ‘CVE-2013-0808’ which was basically an EPS viewer buffer overflow vulnerability, that could get exploited for the implementation of arbitrary code on compromised machines.
In the case of ROKRAT, all the HWP documents have been notified including information in zlib compressed format which the users need to decompress for getting the actual shellcode. Here, the shellcode is mainly utilized to trigger the CVE-2013-0808 vulnerability and download the ROKRAT RAT binary from the command and control server. Now according to analysts if the aforementioned tool detects a sandbox environment then in that situation it block it’s activity and tries it’s level best to lurk security researchers via generating fake traffic.
Researchers report ROKRAT appearing to connect and load either an Amazon video of a game namely ‘Men of War’ or a Hulu anime video namely ‘Golden Time’. In the case of this remote access tool chances are high of similar sort of attacks against several other high-value targets such as the Microsoft Word users. Recently a new evolution has been observed of ROKRAT RAT utilizing several new communication channel such as Yandex, Twitter and Mediafire cloud platforms. So, via this way the attacker ensure to make the detection of the vicious traffic highly difficult.