APT37 - RokRat

SUMMARY :

APT37, a North Korean state-sponsored hacking group, has expanded its operations to target users on Windows and Android platforms through phishing campaigns. The group's attack vector involves malicious LNK files distributed via group chat platforms. The infection process begins with phishing emails containing ZIP attachments that conceal malicious LNK files. When executed, these files initiate a multi-stage attack using batch scripts and PowerShell, ultimately deploying RokRat as the final payload. RokRat, a remote access Trojan, collects detailed system information, abuses cloud services for command and control, and employs anti-analysis techniques. It can execute remote commands, exfiltrate data, and perform various malicious activities on infected systems.

OPENCTI LABELS :

powershell,phishing,remote access trojan,north korea,lnk files,rokrat,cloud services


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


APT37 - RokRat