LNK 파일을 활용한 RokRAT 악성코드에 대한 분석

2024-09-13 • ENKI • Analysis of RokRAT malware using LNK files •

https://www.enki.co.kr/media-center/blog/analysis-of-rokrat-malware-utilizing-lnk-files

#APT37 #RokRAT #LNK

Thumbnail for LNK 파일을 활용한 RokRAT 악성코드에 대한 분석

ENKI analyzes RokRAT activity that uses malicious LNK files as an initial execution mechanism, a technique increasingly observed after Microsoft restricted Office macros and began phasing out VBScript. The source says attackers commonly deliver archives containing an embedded-command LNK file, sometimes alongside benign documents, and then use the shortcut to run commands through PowerShell. The report is relevant to RokRAT detection, LNK command extraction, and email-borne initial access triage.

Indicators of Compromise

Type	Value	First Seen	Last Seen
HASH	94159655fa0bfb1eff092835d8922d3…	2024-09-13	2025-03-10
HASH	b1025baa59609708315326fe4279d81…	2024-09-13	2025-01-01
HASH	dbd5d662cc53d4b91cf7da9979cdffd…	2024-03-04	2024-11-04
HASH	4ec203d22097e29d83a6425e523cfb3…	2024-09-13	2024-09-13
HASH	2ae727feffb939434fd9c3804517d86…	2024-09-13	2024-09-13
HASH	92bad80b08407755da14760de5703dc…	2024-09-13	2024-09-13
HASH	23549c774f56aae77115b456bdcad6c…	2024-09-13	2024-09-13
HASH	653202d94d655f9fafbb1217fba57d2…	2024-09-13	2024-09-13
HASH	9646372af573fb90a7f3665386629cc…	2024-09-13	2024-09-13
HASH	0a501fd9d043b043de9083d03870b9c…	2024-09-13	2024-09-13
HASH	81269c3c41d957765314a1704e0ea6c…	2024-09-13	2024-09-13
HASH	b02329000ae4f8f4238db366d8fe394…	2024-09-13	2024-09-13
HASH	903b02ff3ef690ea53103737a07c36a…	2024-09-13	2024-09-13
HASH	cdfa3a84b1bf6a58218bb6435a513b8…	2024-09-13	2024-09-13
HASH	b8d034814d9c8aa12b49372c9007f36…	2024-09-13	2024-09-13
HASH	14e507f2160b415d8aae1bbe4e5fbcf…	2024-09-13	2024-09-13
HASH	00f45a18a4ca30f2de40c213186bd9e…	2024-09-13	2024-09-13
HASH	f3d98b1638dbe6fd0f97ae3b1d2c9d5…	2024-09-13	2024-09-13
HASH	c25e5e87d1e665197209e7aaec64e48…	2024-09-13	2024-09-13
HASH	1fa815ed72933b3d2efdae7b13d6cc8…	2024-09-13	2024-09-13
HASH	e97b31d85345d899bdd207e52c7660c…	2024-09-13	2024-09-13
HASH	faa8312eb5dfaafae9be18b4470990e…	2024-09-13	2024-09-13
HASH	dd3803ade05abe200bac8cb34247b43…	2024-09-13	2024-09-13
HASH	e6f4bbc21b34b10b10a9bc83ccc329a…	2024-09-13	2024-09-13
HASH	dc6ca2e9ce800245a65715647bb1614…	2024-09-13	2024-09-13
HASH	95aedd9c8ec64d3abd6ecf016b6886e…	2024-09-13	2024-09-13
HASH	94fb40e50f2614d11e3b122be91e76d…	2024-09-13	2024-09-13
URL	https://api.pcloud.com/listfold…	2024-09-13	2024-09-13
URL	https://api.pcloud.com/userinfo	2024-09-13	2024-09-13
URL	https://api.pcloud.com/trash_li…	2024-09-13	2024-09-13
HASH	cbc777d1e018832790482e6fd82ab18…	2024-03-21	2024-09-13
HASH	4f5d8bb87b68b943c1e4f05c12a8c08…	2024-03-21	2024-09-13
HASH	e914f39c7800f87e99ca4821c7a6d4a…	2024-03-21	2024-09-13

Related Actors

APT37

Mandiant

Scarcruft

First seen: Feb 2018

Last seen: Jun 2026

Related Reports

2024-11-04 • 70% Match

북한 APT 리퍼(Reaper)에서 만든 탈북민 사칭 한국해양수산연수원 타겟 인것으로 추측이 되는 악성코드-정보접근권.lnk(2024.11.1)

Sakai

#APT37 #RokRAT #LNK

Shares tags: APT37, RokRAT, LNK

2024-03-21 • 68% Match

"북한지 기고문"을 위장하여 유포된 LNK 악성코드

Secu I

#APT37 #RokRAT #LNK #T1082 #T1560 #T1497 #T1036 #T1027 #T1071 #T1057 #T1059.001 #T1059 #T1003 #T1548 #T1203 #T1564.001 #T1106 #T1573 #T1070 #T1033 #T1485 #T1012 #T1202 #T1564.003 #T1564 #T1027.004

Shares tags: APT37, RokRAT, LNK • Shares 3 IOCs

2025-03-10 • 66% Match

APT37 - RokRat

ZW01f

#APT37 #RokRAT #LNK

Shares tags: APT37, RokRAT, LNK • Shares 1 IOC

2025-03-04 • 65% Match

한글 문서로 위장한 두 공격 그룹의 악성코드 비교

Logpresso

#Konni #APT37 #RokRAT #LNK

Shares tags: APT37, RokRAT, LNK

2024-03-27 • 65% Match

APT37 그룹의 RoKRAT 파일리스 공격 증가

Genians

#APT37 #RokRAT #LNK

Shares tags: APT37, RokRAT, LNK

2025-08-29 • 60% Match

Operation HanKook Phantom: APT37 Spear-Phishing Campaign

Seqrite

#APT37 #RokRAT #LNK #T1102.002 #T1027.013 #T1082 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1083 #T1204.001 #T1204.002 #T1566.001 #T1547.001 #T1053.005 #T1059.001 #T1123 #T1087.001 #T1056.002 #T1574.001 #T1217 #T1027.009 #T1529 #T1055.009 #T1055.001

Shares tags: APT37, RokRAT, LNK

« Back