This article is more than 1 year old
RAT-catchers spot new malware attacking South Korean word processor
Twitter, Yandex and Mediafire as C&C for snoopy malware
Cisco Talos researchers reckon South Korean users are again under attack from a new malicious RAT (remote administration tool) they've dubbed ROKRAT.
Back in February, the security researchers reported an attack that used a compromised government Website to distribute malware in macro-laden documents attacking users of the local-language word processor Hangul.
The new attack posted Monday again uses Hangul documents in phishing e-mails to carry the payload, this time ROKRAT.
The RAT uses Twitter, Yandex and Mediafire for command-and-control and data exfiltration, since these are “difficult to block globally” because they're legitimate business tools, and also because their use of HTTPS makes it hard to spot at the firewall.
If the RAT finds it's been installed on Windows XP, it puts itself into an infinite sleep; if it executes, it checks the victim's process list to see whether they're running antivirus or analytical tools like Wireshark.
“If any of these processes are discovered running on the system during this phase of execution, the malware jumps to a fake function which generates dummy HTTP traffic. Additionally we discovered that if the malware is being debugged or if it was not executed from the HWP document (i.e. double clicking the binary) or if the OpenProcess() function succeed on the parent process, the fake function is also called”, Talos notes.
If it's executed in a sandbox, ROKRAT tries to conceal itself by firing off requests to Amazon and Hulu.
As well as the Twitter/Yandex/Mediafire C&C connections, the RAT includes a screen-shot uploader and a keylogger.
The main point of interest in ROKRAT's infection technique is that it uses an old Encapsulated PostScript exploit, CVE-2013-0808. The malicious document contains shellcode masquerading as a Hangul document. ®
Update: Mediafire has contacted The Register to say that while ROKRAT might have carried its URL, the account in the malware "never received any files," and that "the API key was never authorised, and processed no activity at all".
As a precaution, the organisation has blocked ROKRAT's ability to use the platform. ®
Biting the hand that feeds IT
