A North Korean hacking group has been found deploying the RokRat Trojan in a new spear-phishing campaign targeting the South Korean government.
Attributing the attack to APT37 (aka Starcruft, Ricochet Chollima, or Reaper), Malwarebytes said it identified a malicious document last December that, when opened, executes a macro in memory to install the aforementioned remote access tool (RAT).
"The file contains an embedded macro that uses a VBA self decoding technique to decode itself within the memory spaces of Microsoft Office without writing to the disk. It then embeds a variant of the RokRat into Notepad," the researchers noted in a Wednesday analysis.
Believed to be active at least since 2012, the Reaper APT is known for its focus on public and private entities primarily in South Korea, such as chemicals, electronics, manufacturing, aerospace, automotive, and healthcare entities. Since then, their victimology has expanded beyond the Korean peninsula to include Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East.
While the previous attacks leveraged malware-laced Hangul Word Processor (HWP) documents, the use of self-decoding VBA Office files to deliver RokRat suggests a change in tactics for APT37, the researchers said.
The Microsoft VBA document uploaded to VirusTotal in December purported to be a meeting request dated January 23, 2020, implying that attacks took place almost a year ago.
Chief among the responsibilities of the macro embedded in the file is to inject shellcode to a Notepad.exe process that downloads the RokRat payload in encrypted format from a Google Drive URL.
RokRat — first publicly documented by Cisco Talos in 2017 — is a RAT of choice for APT37, with the group using it for a number of campaigns since 2016. A Windows-based backdoor distributed via trojanized documents, it's capable of capturing screenshots, logging keystrokes, evading analysis with anti-virtual machine detections, and leveraging cloud storage APIs such as Box, Dropbox, and Yandex.
In 2019, the cloud service-based RAT gained additional features to steal Bluetooth device information as part of an intelligence-gathering effort directed against investment and trading companies in Vietnam and Russia and a diplomatic agency in Hong Kong.
"The case we analyzed is one of the few where they did not use HWP files as their phish documents and instead used Microsoft Office documents weaponized with a self decode macro," the researchers concluded. "That technique is a clever choice that can bypass several static detection mechanisms and hide the main intent of a malicious document."