LNK File Disguised as Certificate Distributing RokRAT Malware

2024-05-07 Ahnlab

https://asec.ahnlab.com/en/65076/

Thumbnail for LNK File Disguised as Certificate Distributing RokRAT Malware

ASEC observed oversized LNK files targeting South Korean users connected to North Korea-related, military, unification, and education topics. The shortcuts execute PowerShell through CMD, drop a decoy document, and write viewer.dat, search.dat, and find.bat into the public folder. search.dat loads viewer.dat filelessly, resulting in RokRAT execution with cloud API C2 over pCloud, Yandex, and Dropbox while using a Googlebot-like User-Agent. RokRAT can run commands, collect directory and system information, remove startup artifacts, and upload collected data to the actor-controlled cloud storage.

Indicators of Compromise

Type Value First Seen Last Seen
EMAIL [email protected] 2024-04-23 2025-12-21
URL https://content.dropboxapi.com/… 2020-03-25 2025-09-03
URL https://content.dropboxapi.com/… 2018-09-21 2025-09-03
URL https://cloud-api.yandex.net/v1… 2024-04-03 2025-08-29
URL https://cloud-api.yandex.net/v1… 2024-04-03 2025-08-29
URL https://api.pcloud.com/uploadfi… 2024-04-03 2025-08-29
URL https://api.pcloud.com/getfilel… 2024-04-03 2025-08-29
DOMAIN cloud-api.yandex.net 2018-02-27 2025-08-29
EMAIL [email protected] 2024-04-23 2025-05-12
EMAIL [email protected] 2024-03-27 2025-05-12
EMAIL [email protected] 2024-03-27 2025-05-12
HASH 358122718ba11b3e8bb56340dbe94f51 2024-04-23 2025-01-01
HASH b85a6b1eb7418aa5da108bc0df824fc0 2024-04-23 2024-11-04
HASH 3114a3d092e269128f72cfd34812ddc8 2024-04-23 2024-05-07
HASH 35441efd293d9c9fb4788a3f0b4f2e6b 2024-04-23 2024-05-07
HASH 6e5e5ec38454ecf94e723897a42450ea 2024-04-23 2024-05-07
HASH 68386fa9933b2dc5711dffcee0748115 2024-04-23 2024-05-07
HASH bd98fe95107ed54df3c809d7925f2d2c 2024-04-23 2024-05-07
HASH bd07b927bb765ccfc94fadbc912b0226 2024-04-23 2024-05-07

Related Actors

Related Reports

« Back