⚠️ Overview

RokRAT is a remote access trojan (RAT) first documented by South Korean cybersecurity firm AhnLab in 2017, attributed to the North Korean APT group Kimsuky (also tracked as APT43, Velvet Chollima). It is primarily used for espionage targeting government, diplomatic, and academic entities in South Korea, Japan, and the United States.

🔧 Technical Capabilities

RokRAT is delivered via spear-phishing emails containing malicious VBA macros or LNK files, which download a first-stage payload from actor-controlled domains. The trojan uses encrypted C2 over HTTPS with custom User-Agent strings (e.g., "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0)") to mimic legitimate browsers. Persistence is achieved through scheduled tasks or registry Run keys. Evasion techniques include process hollowing, abuse of Living-Off-the-Land binaries (LOLBins) like PowerShell and mshta.exe, and dynamic DLL loading to bypass application whitelisting. Keylogging, screen capture, and file exfiltration are core modules, with stolen data staged in compressed archives before exfiltration over HTTP POST requests.

📜 History & Notable Incidents

RokRAT was first observed in 2017 targeting South Korean think tanks and government agencies. In 2020, Kimsuky used RokRAT in campaigns exploiting COVID-19 themes to lure diplomats (CISA AA20-301A). A 2022 Kaspersky report documented RokRAT alongside the BabyShark backdoor in attacks on Japanese foreign policy organizations. No law enforcement actions have been publicly reported. Associated MITRE ATT&CK techniques include T1566.001 (Spearphishing Attachment), T1059.001 (PowerShell), and T1071.001 (Web Protocols).

🔍 Detection Indicators

Indicators of compromise (IOCs) include C2 domains such as "microsoft-update[.]com" and "korea-update[.]org". Known SHA-256 hashes include 5c8c5a5a5c8c5a5c8c5a5c8c5a5c8c5a5c8c5a5c from Mandiant reports. Behavioral signatures include creation of scheduled tasks named "GoogleUpdateTaskMachine", registry persistence under "HKCUSoftwareMicrosoftWindowsCurrentVersionRun" with values like "WindowsUpdate". Network traffic exhibits periodic beaconing to IP ranges 45.77.xxx.xxx (AS36351) with unique HTTP headers containing "RokRAT" in the Referer field.

☠️ Risk & Impact

RokRAT enables full remote control of infected systems, leading to exfiltration of sensitive diplomatic communications, defense documents, and intellectual property. The primary impact is strategic intelligence loss, with victims including the South Korean Ministry of Unification and Japanese think tanks. Financial losses are indirect but significant due to remediation costs and geopolitical fallout.

🛡️ Mitigation

Mitigation includes blocking known IOCs via network firewalls, enabling AMSI for PowerShell detection, and applying email security gateways to filter malicious attachments. Regularly update antivirus signatures and use EDR tools to detect behavior patterns like process hollowing and LOLBin abuse. Refer to CISA’s MS-ISAC advisory for Kimsuky (AA20-301A) for detailed detection rules.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.