This post was authored by Warren MercerPaul Rascagneres and with contributions from Jungsoo An.

Earlier this year, Talos published 2 articles concerning South Korean threats. The first one was about the use of a malicious HWP document which dropped downloaders used to retrieve malicious payloads on several compromised websites. One of the website was a compromised government website. We named this case “Evil New Years”. The second one was about the analysis and discovery of the ROKRAT malware.

This month, Talos discovered a new ROKRAT version. This version contains technical elements that link the two previous articles. This new sample contains code from the two publications earlier this year:

  • It contains the same reconnaissance code used;
  • Similar PDB pattern that the “Evil New Years” samples used;
  • it contains the same cloud features and similar copy-paste methods that ROKRAT used;
  • It uses cloud platform as C&C but not exactly the same. This version uses pcloud, box, dropbox and yandex.



Talos Group

Talos Security Intelligence & Research Group