Cisco Blogs
Share

ROKRAT Reloaded

- November 27, 2017 - 0 Comments

This post was authored by Warren MercerPaul Rascagneres and with contributions from Jungsoo An.

Earlier this year, Talos published 2 articles concerning South Korean threats. The first one was about the use of a malicious HWP document which dropped downloaders used to retrieve malicious payloads on several compromised websites. One of the website was a compromised government website. We named this case “Evil New Years”. The second one was about the analysis and discovery of the ROKRAT malware.

This month, Talos discovered a new ROKRAT version. This version contains technical elements that link the two previous articles. This new sample contains code from the two publications earlier this year:

  • It contains the same reconnaissance code used;
  • Similar PDB pattern that the “Evil New Years” samples used;
  • it contains the same cloud features and similar copy-paste methods that ROKRAT used;
  • It uses cloud platform as C&C but not exactly the same. This version uses pcloud, box, dropbox and yandex.

Read More >>

Tags:
Leave a comment

We'd love to hear from you! To earn points and badges for participating in the conversation, join Cisco Social Rewards. Your comment(s) will appear instantly on the live site. Spam, promotional and derogatory comments will be removed and HTML formatting will not appear.

Share