Researchers have identified a stealthy new remote access tool dubbed ROKRAT that leverages a bevy of anti-detection measures. The RAT targets the Korean language Microsoft Word alternative Hangul Word Processor (HWP).
ROKRAT was detected several weeks ago by Cisco Talos, who said the malware is part of a phishing campaign by threat actors leveraging malicious email attachments. The goal of attackers is complete control over the victim’s system.
“This actor is quick to cover their tracks and very quickly cleaned up their compromised hosts. We believe the compromised infrastructure was live for a mere matter of hours during any campaign,” wrote Cisco Talos researchers Warren Mercer, Paul Rascagneres and Matthew Molyett, who each co-authored a technical post regarding ROKRAT posted on Monday.
“We believe this is a targeted attack aimed at South Korean users in the public sector conducted by a sophisticated threat actor with access to native Korean speakers. Attacks on these individuals may be an attempt to gain a foothold into assets which can be deemed extremely valuable,” wrote Cisco Talos researchers in a previous February post on the same malicious file attachments used by threat actors in this most recent attack.
Targets of ROKRAT are sent phishing messages from an email address tied to South Korea’s Yonsei University on the topic of an upcoming and fictitious “Korean Reunification and North Korean Conference”. Recipients are enticed to open the attachments to provide feedback to conference organizers. While the phishing email references a fake Yonsei University conference, the university did hold a unification conference in January, lending credibility to the message.
Phishing email’s contain two HWP documents, each with an embedded Encapsulated PostScript (EPS) object. “The purpose of the EPS is to exploit a well-known vulnerability (CVE-2013-0808) to download a binary disguised as a .jpg file. This file is decoded and finally an executable is launched: ROKRAT,” said researchers.
The EPS vulnerability CVE-2013-0808 dates back to a 2013 advisory by the Core Exploit Writers Team that warned of a EPS viewer buffer overflow vulnerability, allowing a remote attacker to execute arbitrary code on targeted machines.
“As with all HWP documents, the information is zlib compressed so you must decompress the .EPS to get the true shellcode,” researcher said. The shellcode is used to exploit the CVE-2013-0808 vulnerability and download ROKRAT binary from a C2 server in the form of either a .jpg file named “worker.jpg” or “kingstone.jpg”.
However, if the malware detects a sandbox environment it will not execute and try to confuse security researchers by appearing to connect and load either an Amazon video of a game called “Men of War” or a Hulu anime video called “Golden Time”. Neither of the URLs linking to the videos are malicious.
While the attack focuses on the Korean word processing program HWP, researchers warn the potential of the EPS flaw being exploited in Microsoft Word is a possibility. “Yes, it could since it was an EPS vulnerability. Anything that could embed an EPS file could be a potential (attack) vector,” said Craig Williams, senior technical leader, Cisco Talos in an interview with Threatpost.
Post infection, the malware continues its evasive behavior. “The RAT used during this campaign was innovative, using novel communication channels. ROKRAT uses Twitter and two cloud platforms – Yandex and Mediafire – in order to give orders, send files, and get files,” Williams said.
He said blocking malicious communication between the infected hosts and Twitter, Yandex and Mediafire within organizations is extremely difficult because of the fact they are legitimate services. Additionally, each of the services make use of HTTPS connectivity making it much more difficult to identify specific communication patterns or the usage of specific tokens, Williams said.
With control of a victim’s system, threat actors control the targeted computer and can install a keylogger or take application screen shots.
Cisco Talos said that attackers have found success with ROKRAT stating it has identified infected systems communicating with the attacker’s C2 servers as recently as this week.
“This investigation shows us once again that South Korean interests sophisticated threat actors. In this specific case, the actor compromised a legitimate email address of a big forum organized by a university in Seoul in order to forge the spear phishing email which increased the chance of success,” researchers said.