A newly discovered remote administration tool (RAT) uses popular legitimate websites for its command and control (C&C) communication and for the exfiltration of data, Talos researchers say.
Dubbed ROKRAT, the tool is distributed via email with a malicious Hangul Word Processor (HWP) document and targets victims in Korea, where the Office alternative is highly popular. Researchers found that one of the malicious spear phishing emails was sent from the email server of Yonsei, a private university in Seoul. To add legitimacy to the email, the attackers used the contact email of the Korea Global Forum as the sender’s address.
The malicious HWP document contained an embedded Encapsulated PostScript (EPS) object aimed at exploiting a well-known vulnerability (CVE-2013-0808) to download a binary masquerading as a .jpg file. When the file is decoded and executed, the ROKRAT malware is installed on the victim’s machine, Talos explains.
The RAT shows increased complexity by using legitimate websites such as Twitter, Yandex, and Mediafire as its C&C communication and exfiltration platforms. Not only are these websites difficult to block globally within organizations, but they also use HTTPS connectivity, which makes it difficult to identify specific patterns.
“One of the samples analyzed only uses Twitter to interact with the RAT, while the second one additionally uses the cloud platforms: Yandex and Mediafire. The Twitter tokens we were able to extract are the same in both variants. There is obvious ongoing effort to add features to this RAT to allow for more sophisticated levels of attacks,” Talos notes.
Upon analysis, the security researchers discovered that the RAT doesn’t work on Windows XP systems and also packs detection evasion capabilities, as it checks the compromised system for a series of tools used for malware analysis or within sandbox environments. Should such tools be discovered, the malware jumps to a fake function which generates dummy HTTP traffic.
For communication with the C&C platforms, the malware uses 12 hardcoded tokens (7 different Twitter API tokens, 4 Yandex tokens, and one Mediafire account). The malware checks the last message on the Twitter timeline to receive orders and can also tweet; and can download and execute files or upload stolen documents to disks in the Yandex cloud or Mediafire.
The malware also packs keylogging capabilities, and one of the samples was also observed taking screenshots of the infected systems, researchers say.
The actor behind this campaign is a motivated one, Talos notes. The RAT is innovative, using novel communication channels that are difficult to contain within organizations. Furthermore, the malware includes a series of exotic features, such as the ability to perform requests to legitimate websites (Amazon and Hulu) if executed in a sandbox.
“This investigation shows us once again that South Korean interests sophisticated threat actors. In this specific case, the actor compromised a legitimate email address of a big forum organized by a university in Seoul in order to forge the spear phishing email which increased the chance of success. And we know that it was a success, during the writing of the article we identified infected systems communicating with the command & control previously mentioned,” Talos concludes.