ROKRAT Detection: Malware Adopts New Deployment Methods Relying on Large LNK Files

Adversaries are constantly looking for novel ways to overcome security protections. After Microsoft started blocking macros for Office documents by default last year, cybercriminals adapted their deployment methods to slip through the defense. APT37 follows this major trend, using Windows shortcut (LNK) files to proceed with the ROKRAT (aka DOGCALL) campaigns successfully.Ā 

Detect ROKRAT Malware Attacks

Security practitioners require a trusted source of detection content to secure critical organizational assets and timely identify possible intrusions. SOC Prime Platform offers a batch of Sigma rules to detect the latest ROKRAT campaigns.

Suspicious ROKRAT Malware Execution by Detection of Associated CommandLine by APT37 Group (via process_creation)

This detection rule created by Mustafa Gurkan KARAKAYA, a seasoned Threat Bounty developer, identifies the execution of ROKRAT malware through a malicious DLL file by the associated command line. The rule is compatible with 23 SIEM, EDR, and XDR solutions, and is mapped to the MITRE ATT&CKĀ® framework , specifically addressing the Execution tactic and the Command and Scripting Interpreter (T1059) technique.

Are you eager to put your detection engineering and threat hunting skills to good use while also making the world a safer place? Join SOC Prime’s Threat Bounty Program and publish your Sigma rules to the largest threat detection marketplace. Becoming a member of our crowdsourcing initiative, you can enhance your future CV and connect with industry experts, while also receiving financial benefits for your contributions.

Hit the Explore Detections button below to access the complete list of Sigma rules for detecting ROKRAT malware. All Sigma rules are enriched with relevant cyber threat intelligence, providing a comprehensive context of the attacks and adversary behavior patterns to streamline your investigation.

Explore Detections

Analyzing New ROKRAT Infection Chain

To keep up with the ever-changing attack surface, APT37 nation-state actor has adopted new deployment methods for their core malicious sample ROKRAT.Ā 

ROKRAT backdoor is frequently leveraged for credential dumping, information stealing, command and shellcode execution, and more. Since July 2022, security experts have observed a shift from malicious macros to large LNK files used to initiate ROKRATā€™s multi-stage infection chain. Notably, the same approach was applied in other APT37 attacks resulting in custom GOLDBACKDOOR and commodity Amadey malware deployment.

The latest ROKRAT campaigns are largely focused on South Korean public sector institutions, which is a traditional target of interest for APT37. This hacking collective is affiliated with North Korea’s Ministry of State Security and has been active since at least 2012. Starting in 2017, the adversaries expanded their targeting beyond South Korea exclusively, now seeking victims globally. The affected sectors include but are not limited to manufacturing, electronics, healthcare, and automotive industry verticals.

As attack surfaces become more complex, organizations are seeking methods to detect emerging threats promptly and safeguard their infrastructure from possible intrusions. SOC Prime provides comprehensive detection content that addresses the latest malware threats, ensuring that your organization is fully equipped to stay ahead of adversaries. Visit https://socprime.com/ to learn more about emerging threats or reach those tailored to the threat profile of your organization with On Demand subscription at https://my.socprime.com/pricing.Ā 

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts