INFRA
INFRA
INFRA
New remote-access malware uses legitimate sites such as Twitter for attacks
A newly discovered remote-access tool that targets users of a Korean language word processor uses legitimate sites to target victims.
Dubbed ROKRAT by Cisco System Inc.’s Talos security arm, the RAT uses a phishing campaign to target users of the Korean language Microsoft Word alternative Hangul Word Processor. The attack vector is fairly typical for a phishing campaign. Targeted victims receive an email pretending to be from someone else — in this case, an email pretending to be from the Korea Global Forum complete with the sender’s address.
The attachment on the email includes an Encapsulated PostScript object aimed at exploiting a known vulnerability to download a binary masquerading as a .jpg file. Once the file is executed, the ROKRAT malware is installed on the victim’s machine, giving the hackers complete control.
At this point, things get interesting. The ROKRAT malware communicates not to a traditional hacker command-and-control center, but instead to Twitter and two cloud platforms, Yandex and Mediafire, which host both C&C communications and exfiltration platforms. The use of these websites versus traditional C&C points make them difficult to block within an organization becauses the sites are widely used by employees. In addition, the data shared uses HTTPS, making the data difficult to identify by traditional security software.
The RAT goes further in attempting to hide itself by using techniques to frustrate human analysts and avoid sandbox execution. As well as not running Windows XP or Windows Server 2003 systems, if ROKRAT detects a sandbox environment used by malware analysts, it will not execute. Instead, it appears to connect and load nonmalicious links in the form of either an Amazon video of a game called “Men of War” or a Hulu anime video called “Golden Time” to confuse researchers trying to study it.
ROKRAT attacks are currently confined to South Korea, with Talos hinting that North Korea might be behind the attacks. But the concern going forward is that now that the remote access trojan is in the wild, others may seek to copy its methodology.
Photo: Reg McKenna/Wikimedia Commons
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
