Matryoshka : Variant of ROKRAT, APT37 (Scarcruft)

2021-07-14 S2W

https://medium.com/s2wlab/matryoshka-variant-of-rokrat-apt37-scarcruft-69774ea7bf48

Thumbnail for Matryoshka : Variant of ROKRAT, APT37 (Scarcruft)

S2W analyzes a December 2020 watering-hole attack tied to ScarCruft/APT37 that delivered Matryoshka, an evolved ROKRAT variant, to visitors of a North Korea-related website using a vulnerable Internet Explorer browser. The infection chain used a malicious script source, PowerShell, OneDrive-hosted Ruby components, multi-stage shellcode, and PE payloads disguised under legitimate driver-like paths before loading the final information stealer. The malware derived keys from the victim computer name, used AES-128-CBC and XOR routines, checked installed antivirus products, maintained persistence through Run keys, injected code into processes, and collected files, browser credentials, cookies, mail-client data, and FTP-client data. Command-and-control and exfiltration abused cloud services such as pCloud, Yandex, Box, Dropbox, and Backblaze, with the appendix providing tokens, hashes, and YARA rules for ScarCruft loaders and ROKRAT components.

Indicators of Compromise

Type Value First Seen Last Seen
IPv4 151.101.1.195 2021-07-14 2024-08-23
YARA Scarcruft_RUBY_Shellcode_XOR_Ro… 2021-07-14 2021-07-14
YARA Scarcruft_Reverse_BS64_Loader 2021-07-14 2021-07-14
HASH 888ed5eb170d48cf12f8716db899ec85 2021-07-14 2021-07-14
HASH 4df1c60bad360e3c0c5ebf8d2de998e0 2021-07-14 2021-07-14
HASH 5afb61fd9c0bdf9468045291cc9c4e4f 2021-07-14 2021-07-14
HASH 6634c216fdb0067920f911a6fd1d60de 2021-07-14 2021-07-14
HASH 72657175697265202762617365363427 2021-07-14 2021-07-14
HASH 6117403d7668593be80a0ef1ad72ba5b 2021-07-14 2021-07-14
EMAIL [email protected] 2021-07-14 2021-07-14

Related Actors

Related Reports

« Back