How does the APT37 group spread the ROKRAT malware?


The North Korean threat actor APT37 has been observed changing its deployment methods and using South Korean foreign and internal affairs-themed decoys, with files containing Windows Shortcut (LNK) files that launch ROKRAT infection chains.

“Our findings suggest that various multi-stage infection chains used to load ROKRAT were used in other attacks, leading to the development of additional tools linked to the same threat actor,” Check Point Research (CPR) explained in an advisory published on Monday. “These tools include another custom backdoor, Goldbackdoor, and the Amadey commodity malware.”

Security researchers clarified that ROKRAT infection chains, first identified in 2017, historically involved a malicious Hangul Word Processor (HWP) document with an exploit or a Microsoft Word document with macros.

Read more…