Connect with us

Hi, what are you looking for?


Malware & Threats

New RAT Uses Popular Sites for Command and Control

A newly discovered remote administration tool (RAT) uses popular legitimate websites for its command and control (C&C) communication and for the exfiltration of data, Talos researchers say.

A newly discovered remote administration tool (RAT) uses popular legitimate websites for its command and control (C&C) communication and for the exfiltration of data, Talos researchers say.

Dubbed ROKRAT, the tool is distributed via email with a malicious Hangul Word Processor (HWP) document and targets victims in Korea, where the Office alternative is highly popular. Researchers found that one of the malicious spear phishing emails was sent from the email server of Yonsei, a private university in Seoul. To add legitimacy to the email, the attackers used the contact email of the Korea Global Forum as the sender’s address.

The malicious HWP document contained an embedded Encapsulated PostScript (EPS) object aimed at exploiting a well-known vulnerability (CVE-2013-0808) to download a binary masquerading as a .jpg file. When the file is decoded and executed, the ROKRAT malware is installed on the victim’s machine, Talos explains.

The RAT shows increased complexity by using legitimate websites such as Twitter, Yandex, and Mediafire as its C&C communication and exfiltration platforms. Not only are these websites difficult to block globally within organizations, but they also use HTTPS connectivity, which makes it difficult to identify specific patterns.

“One of the samples analyzed only uses Twitter to interact with the RAT, while the second one additionally uses the cloud platforms: Yandex and Mediafire. The Twitter tokens we were able to extract are the same in both variants. There is obvious ongoing effort to add features to this RAT to allow for more sophisticated levels of attacks,” Talos notes.

Upon analysis, the security researchers discovered that the RAT doesn’t work on Windows XP systems and also packs detection evasion capabilities, as it checks the compromised system for a series of tools used for malware analysis or within sandbox environments. Should such tools be discovered, the malware jumps to a fake function which generates dummy HTTP traffic.

For communication with the C&C platforms, the malware uses 12 hardcoded tokens (7 different Twitter API tokens, 4 Yandex tokens, and one Mediafire account). The malware checks the last message on the Twitter timeline to receive orders and can also tweet; and can download and execute files or upload stolen documents to disks in the Yandex cloud or Mediafire.

Advertisement. Scroll to continue reading.

The malware also packs keylogging capabilities, and one of the samples was also observed taking screenshots of the infected systems, researchers say.

The actor behind this campaign is a motivated one, Talos notes. The RAT is innovative, using novel communication channels that are difficult to contain within organizations. Furthermore, the malware includes a series of exotic features, such as the ability to perform requests to legitimate websites (Amazon and Hulu) if executed in a sandbox.

“This investigation shows us once again that South Korean interests sophisticated threat actors. In this specific case, the actor compromised a legitimate email address of a big forum organized by a university in Seoul in order to forge the spear phishing email which increased the chance of success. And we know that it was a success, during the writing of the article we identified infected systems communicating with the command & control previously mentioned,” Talos concludes.

Related: Targeted Malware Campaign Uses HWP Documents

Related: Organizations in Asia Targeted With InPage Zero-Day

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...