RoKRAT Shellcode and Steganographic Threats: Analysis and EDR Response Strategies
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
A new variant of RoKRAT malware used by APT37 has been identified, employing a two-stage encrypted shellcode injection method and steganography to conceal malicious code in image files. The malware uses shortcut files with embedded commands to execute its attack, distributed via compressed archives. It utilizes a complex decoding process involving XOR operations and injects itself into legitimate Windows processes. The threat actor abuses cloud storage services as command and control channels, using Dropbox access tokens. The malware's stealthy nature, including fileless techniques, makes it difficult to detect with traditional security solutions, highlighting the importance of EDR-based defense strategies for real-time monitoring and analysis of abnormal behaviors.
OPENCTI LABELS :
cloud,apt,fileless,dropbox,injection,steganography,rokrat,shellcode,edr,xor
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
RoKRAT Shellcode and Steganographic Threats: Analysis and EDR Response Strategies