APT-C-28(ScarCruft)组织利用恶意文档投递RokRat攻击活动分析
2023-05-19 • Qihoo360 • Analysis of APT-C-28 (ScarCruft) organization's use of malicious documents to deliver RokRat attack activities •
360 attributed a Korea-targeted malicious document campaign to APT-C-28, also known as ScarCruft or APT37, based on its RokRat payload and similarity to earlier public reporting. The captured Korean-language lure masqueraded as a payment application form; enabling macros dynamically decoded a second macro, bypassed VBOM checks, created a mutex, and injected first-stage shellcode into Notepad. The shellcode retrieved encrypted content from attacker-controlled cloud storage, decoded a second-stage shellcode, and loaded a December 2022 RokRat build in memory. The report notes changes in this RokRat version, including AV process checks, modified cleanup and persistence commands, expanded system-information collection, and use of cloud services such as OneDrive rather than Box.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 40ae072f85ce949ab55ce4c6ae905a2… | 2023-05-19 | 2023-05-19 |
| HASH | 752f1932d21f8d95e35b6778ddefbc79 | 2023-05-19 | 2023-05-19 |
| HASH | 1e498b28c57911de5ffb1d1f875d54cd | 2023-05-19 | 2023-05-19 |
| HASH | 0aa43a17afda8b1559f22e9557d935fc | 2023-05-19 | 2023-05-19 |
| HASH | bf757d55d6b48ec73851540ca7fe9315 | 2023-05-19 | 2023-05-19 |
| HASH | 9e9b337ea4527f844c46876a47478831 | 2023-05-19 | 2023-05-19 |
| HASH | 9970e502a2db3cecb5109b28d6f26e0… | 2023-05-19 | 2023-05-19 |
| HASH | 0ee5120ecd0e8f07cb7e2af11c9d403… | 2023-05-19 | 2023-05-19 |
| URL | https://api.onedrive.com/v1.0/s… | 2023-05-19 | 2023-05-19 |
| HASH | 8a50a4ee479d9ba2f5525fa899420b3… | 2023-05-09 | 2023-05-19 |
| HASH | 12ecabf01508c40cfea1ebc39582147… | 2023-05-01 | 2023-05-19 |
| URL | https://1drv.ms/u/s!Au2my1xh6t8… | 2023-05-01 | 2023-05-19 |