A new variant of the RoKRAT malware has been identified in the wild, attributed to the operations of the APT37 group. This group, also known by aliases such as Reaper and ScarCruft, has a documented history of targeting entities primarily in South Korea, though its activities extend to other regions. The development of this new RoKRAT version signals a continuous effort by the threat actor to refine its tools for stealth and persistence. RoKRAT itself is a backdoor, designed to give the attackers remote control over a compromised system, enabling them to exfiltrate data, install further malware, and conduct surveillance. The analysis of this variant reveals a combination of sophisticated techniques aimed at bypassing modern security defenses.
A central element of this malware's evasion strategy is a two-stage encrypted shellcode injection method. This process is deliberately complex to hinder analysis. The attack begins with an initial dropper, which may be delivered through a phishing email with a malicious attachment. This first stage contains a small, encrypted piece of code. Its sole purpose is to decrypt and execute the second stage. This second-stage payload contains the main shellcode, which is also encrypted. The shellcode is injected directly into the memory space of a running, legitimate process, such as a web browser or a system utility. By doing this, the malware avoids writing its primary malicious components to the hard drive, making it invisible to traditional file-based antivirus scanners. The use of a two-stage encrypted shellcode injection mechanism means that security products cannot easily analyze the final payload, as it only exists in a decrypted state within the memory of another process, making both static and dynamic analysis challenging.
To deliver its initial payloads, the malware employs a clever steganography technique. Steganography is the art of hiding data within other, non-secret files. In this campaign, the APT37 group conceals its malicious code within seemingly harmless image files, such as PNGs. An infected system is instructed to download one of these images from a command-and-control server. To a user or a basic network security tool, this appears as normal web traffic. However, embedded within the pixel data of the image is the encrypted payload. A specific function within the malware is designed to read the image file, extract the hidden data from specific locations, and then execute it. This advanced steganography technique serves as an effective delivery and concealment mechanism, allowing the threat to slip past security solutions that are not configured to perform deep inspection of file contents.
The campaign heavily relies on fileless attacks to operate once inside a network. This approach prioritizes the use of tools and processes that are already built into the operating system, a concept known as "living off the land." Instead of dropping new executable files, the malware leverages legitimate utilities like PowerShell and Windows Management Instrumentation (WMI) to carry out its tasks. For instance, PowerShell can be used to download the steganographic images from the internet or to execute scripts directly in memory. WMI can be used to achieve persistence, allowing the malware to re-launch itself after a system reboot without needing a file on disk. The reliance on fileless attacks makes detection very difficult, as the malware's activity is disguised as legitimate administrative actions. Security teams must look for unusual patterns of behavior rather than searching for malicious files.
Given these evasive characteristics, traditional security measures are often insufficient. This is where the practice of EDR monitoring becomes relevant for defense. Endpoint Detection and Response (EDR) solutions are built to counter such threats by continuously monitoring endpoint activities and system events. Unlike antivirus software that looks for known signatures, EDR focuses on identifying abnormal endpoint behavior. It collects telemetry on process creation, network connections, registry changes, and API calls to build a baseline of what is normal for a particular system. When the new RoKRAT malware attempts to inject shellcode into another process, or when a common document application suddenly spawns a PowerShell script to connect to the internet, an EDR system can flag this sequence as anomalous. The detection of abnormal endpoint behavior provides security analysts with the context needed to investigate and respond to a potential compromise before significant damage occurs. Effective EDR monitoring is a suggested countermeasure for organizations to enhance their visibility into the sophisticated techniques used by threats like this one.
