ROKRAT Reloaded

November 27, 2017 - 0 Comments

This post was authored by Warren MercerPaul Rascagneres and with contributions from Jungsoo An.

Earlier this year, Talos published 2 articles concerning South Korean threats. The first one was about the use of a malicious HWP document which dropped downloaders used to retrieve malicious payloads on several compromised websites. One of the website was a compromised government website. We named this case “Evil New Years”. The second one was about the analysis and discovery of the ROKRAT malware.

This month, Talos discovered a new ROKRAT version. This version contains technical elements that link the two previous articles. This new sample contains code from the two publications earlier this year:

  • It contains the same reconnaissance code used;
  • Similar PDB pattern that the “Evil New Years” samples used;
  • it contains the same cloud features and similar copy-paste methods that ROKRAT used;
  • It uses cloud platform as C&C but not exactly the same. This version uses pcloud, box, dropbox and yandex.



In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.