Earlier this year, Talos published 2 articles concerning South Korean threats. The first one was about the use of a malicious HWP document which dropped downloaders used to retrieve malicious payloads on several compromised websites. One of the website was a compromised government website. We named this case “Evil New Years”. The second one was about the analysis and discovery of the ROKRAT malware.
This month, Talos discovered a new ROKRAT version. This version contains technical elements that link the two previous articles. This new sample contains code from the two publications earlier this year:
- It contains the same reconnaissance code used;
- Similar PDB pattern that the “Evil New Years” samples used;
- it contains the same cloud features and similar copy-paste methods that ROKRAT used;
- It uses cloud platform as C&C but not exactly the same. This version uses pcloud, box, dropbox and yandex.