Reverse_Engineering_RokRAT_A_Closer_Look_at_APT37s_Onedrive_Based-2.pdf (2 MB)

ThreatMon analyzes RokRAT, a remote access trojan used in a recent attack attributed by the source to APT37, also known as Reaper or Group123. The malware begins by collecting victim-system data, uses IsDebuggerPresent and GetTickCount for anti-analysis checks, takes screenshots saved under the Temp folder, and communicates with command-and-control infrastructure through multiple cloud providers while using an authorization header to validate sessions. Documented operator capabilities include executing commands through cmd.exe and ShellExecute, running shellcode, enumerating logical drives, and searching for selected file extensions for exfiltration. The report positions these behaviors alongside MITRE ATT&CK mappings, IOCs, and a YARA rule for detection.