X-Industry

ROKRAT Malware

Posted by Aureanna Hakenson on March 13, 2018 at 10:29am

TACTICAL CYBER INTELLIGENCE REPORT

Actor Type: II
 Serial: TR-18-033-002
Countries: IN, CN
 Report Date: 20180309

ROKRAT Malware

ROKRAT (also referred to as DOGcall) is a family of malware that has been used by attackers originating from North Korea.[1] 

Infection Methodology

The primary mechanism used for infection is a Spear Phishing Attack. The emails contain an attached Hangul Word Processor (HWP) document[2] and were sent from an email server at Yonsei University, a private university in Seoul, South Korea. The address used in the email was 'kgf2016@yonsei.ac.kr’. Some of the emails used during the campaign are shown below:

Figure 1 – Example Spear Phishing Email[3]  

Figure 2 – Another Phishing email used in campaign[4]

The HWP document contained an embedded Encapsulated PostScript (EPS) object. The purpose of the EPS is to exploit a well-known vulnerability (CVE-2013-0808) to download a binary disguised as a .jpg file.

The vulnerability exploits a buffer overflow in EPS Viewer. This vulnerability could be exploited by a remote attacker to execute arbitrary code on the target machine by enticing EPS Viewer users to open a specially crafted EPS file[5].

Analysis

The malicious HWP document exploits CVE-2013-0808. Following shellcode is embedded in the exploit:

Figure 3 - Ebedded Shellcode

The shellcode downloads and decodes a payload file from the internet. After decoding the payload file is executed.

The core payload is a Remote Administration Tool (RAT)[6]. The payload gathers information about the OS and system before conducting a couple of anti-analysis checks when it is first executed.  The payload will first profile the OS version, if the OS version is 6.2 (Windows 8/2012) or greater, it will check to see if the current process is running under WOW64. It will gather information about the OS and system, then conduct a series of anti-analysis checks.  The payload will initially do a check to determine if the process is being debugged. All these checks are used to determine if it is being analyzed in a sandbox environment. The malware checks the process names in use on the victim machine. Following is the complete list:

  • "mtool" for VMWare Tools
  • "llyd" for OllyDBG
  • "ython" for Python (used by Cuckoo Sandbox for example)
  • "ilemo" for File Monitor
  • "egmon" for Registry Monitor
  • "peid" for PEiD
  • "rocex" for Process Explorer
  • "vbox" for VirtualBox
  • "iddler" for Fiddler
  • "ortmo" for Portmon
  • "iresha" for Wireshark
  • "rocmo" for Process Monitor
  • "utoru" for Autoruns
  • "cpvie" for TCPView

If any of these processes are discovered running on the system during this phase of execution, the malware jumps to a fake function which generates dummy HTTP traffic.

The malware also has ability to capture screenshots and log keystrokes of the infected computer.

After the payload completes the checks it will create an additional thread (from the Start Address) to initiate the communications with the command and control infrastructure.

Command and Control

The malware uses Twitter and two cloud platforms, Yandex and Mediafire, for both C2 communications and exfiltration platforms. These platforms are difficult to block globally within organizations as their use can be viewed as legitimate in most cases. In total, it uses 12 hardcoded tokens used to communicate to these legitimate platforms, all via their public APIs.

  1. Twitter

The first CC discovered is Twitter. 7 different Twitter API tokens hardcoded in the sample (Consumer Key + Consumer Secret + Token + Token Secret) were used. The malware is able to get orders by checking the last message on the Twitter timeline. The order can be used to:

  • Execute commands
  • Move a file
  • Remove a file
  • Kill a process
  • Download and execute a file.

To perform these actions the malware uses the official Twitter API.

  1. Yandex

The second CC is the Yandex cloud platform. This platform allows the creation of disks in the Yandex cloud. Concerning this CC, 4 Yandex tokens were hardcoded in the sample. The API is used to download and execute files or to upload stolen documents. The exfiltrated documents are uploaded to:

  • disk:/12ABCDEF/Document/Doc20170330120000.tfs
  1. Mediafire

It is used for the purpose to use the file storage provided by Mediafire in order to download and execute files or to upload stolen information.

Prevention and Mitigation Strategies

We would advise our customers to perform the following in order to prevent infections:

  • Use an antivirus or antimalware software
  • Keep your computers up to date with installing the latest patches
  • Do not open emails from unknown sources
  • Do not download and open files from unknown emails and websites.

 

[1] https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/

[2] https://www.lifewire.com/hwp-file-2621713

[3] https://2.bp.blogspot.com/-lyJihagke9A/WOHoQzlHy_I/AAAAAAAAAGk/ABlej2x_-TgoqNjO3a3gSp7tk0TMoy-jQCLcB/s1600/image15.png

[4] https://1.bp.blogspot.com/-15Cl4dLnOHI/WOHoXare5YI/AAAAAAAAAGo/sH3pJgUPxwEIE_d-nBzpLyBGcLkGIHbAgCLcB/s640/image09.png

[5] https://www.coresecurity.com/advisories/eps-viewer-buffer-overflow-vulnerability

[6] http://blog.talosintelligence.com/2017/04/introducing-rokrat.html

Views: 103
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!