UPDATED 22:30 EDT / APRIL 04 2017

INFRA

New remote-access malware uses legitimate sites such as Twitter for attacks

A newly discovered remote-access tool that targets users of a Korean language word processor uses legitimate sites to target victims.

Dubbed ROKRAT by Cisco System Inc.’s Talos security arm, the RAT uses a phishing campaign to target users of the Korean language Microsoft Word alternative Hangul Word Processor. The attack vector is fairly typical for a phishing campaign. Targeted victims receive an email pretending to be from someone else — in this case, an email pretending to be from the Korea Global Forum complete with the sender’s address.

The attachment on the email includes an Encapsulated PostScript object aimed at exploiting a known vulnerability to download a binary masquerading as a .jpg file. Once the file is executed, the ROKRAT malware is installed on the victim’s machine, giving the hackers complete control.

At this point, things get interesting. The ROKRAT malware communicates not to a traditional hacker command-and-control center, but instead to Twitter and two cloud platforms, Yandex and Mediafire, which host both C&C communications and exfiltration platforms. The use of these websites versus traditional C&C points make them difficult to block within an organization becauses the sites are widely used by employees. In addition, the data shared uses HTTPS, making the data difficult to identify by traditional security software.

The RAT goes further in attempting to hide itself by using techniques to frustrate human analysts and avoid sandbox execution. As well as not running Windows XP or Windows Server 2003 systems, if ROKRAT detects a sandbox environment used by malware analysts, it will not execute. Instead, it appears to connect and load nonmalicious links in the form of either an Amazon video of a game called “Men of War” or a Hulu anime video called “Golden Time” to confuse researchers trying to study it.

ROKRAT attacks are currently confined to South Korea, with Talos hinting that North Korea might be behind the attacks. But the concern going forward is that now that the remote access trojan is in the wild, others may seek to copy its methodology.

Photo: Reg McKenna/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU