Rokrat – Do You KNOW This Malware

Post by rajarshi Jan 12, 2021

KNOW is Netenrich’s threat intelligence platform and cybersecurity news aggregator. As per KNOW’s threat intel dashboard, Rokrat was the third most trending malware over the last seven days.

rokrat threat intel overview and description

What is Rokrat?

Rokrat is a cloud-based RAT (remote access tool) that’s used primarily by APT37, aka ScarCruft – an infamous North Korean threat – to target victims in South Korea. APT37 specifically used Rokrat during several campaigns between 2016 and 2018. They sent a malicious Hangual Word Processor (HWP) document in spearphishing emails to infect hosts.

How does Rokrat work?

It uses legit Twitter, Yandex, and Mediafire websites for its command and control communications and exfiltration platforms. This makes it challenging to block globally.
Upon infecting a device, this malware can execute various commands to move a file, remove a file, kill a process, download and execute a file, upload documents, capture screenshots, and log keystrokes.

Why is Rokrat trending?

ScarCruft has been recently involved in targeting the South Korean government by using a VBA self-decode technique to inject Rokrat. On December 7, 2020, a malicious document that was uploaded to VirusTotal was identified. This document pretended to be a meeting request, which was aimed at the South Korean government. The attack had apparently taken place a year back.

Twitter reacts

#1 Malwarebytes Threat Intelligence

#2 NK News

#3 Mihoko Matsubara

Rokrat references from KNOW

rokrat threat intel references from know

  • Total references: 791
  • Previous 60 days: 374
  • Last 7 days: 373

Rokrat threat intel context from KNOW

rokrat threat intelligence context from know

  • Related threat actors: ScarCruft and Turla Group.
  • Related intrusion methods: Malware, Phishing, Keylogger, ShellCode, Exploit, and Zero Day.
  • Industries targeted: Aerospace and Defense.
  • Hashes: 23
  • URLs: 1
  • Associated vulnerabilities: CVE-2018-4878

KNOW our powerful threat intelligence platform

know threat intelligence from netenrich

KNOW is Netenrich’s Threat Intel Platform that extracts data from billions of data points and correlates relevant intel and expert analyst insights to help you follow, search, and act—in a fraction of the time it takes now. However, Netenrich’s offering isn’t just limited to threat intelligence. We offer a powerful combination of threat and attack surface intelligence.

Threat and Attack Surface Intelligence will help your SecOps to:

  • Find hidden risks to your brand on the public Internet
  • Stay informed about threats in minutes versus hours
  • Act on the most critical threats first
  • Reduce effort and alert fatigue
  • Measure and demonstrate value.
Why did we create Knowledge NOW? Read our story


Find out more about Netenrich’s Attack Surface Intelligence (ASI) solution.

Hey, before you leave, we have this interesting article up on “Intelligent SOC.” Intelligent SOC leverages Netenrich Resolution Intelligence to evolve cybersecurity beyond the antiquated ticket-based model with modern AIOps-based architecture.

Want to read some more?

Yes I do!



About the Author


Subscribe To Our Newsletter!

The best source of information for Security, Networks, Cloud, and ITOps best practices. Join us.

Thank you for subscribing!

Related Post

cozy bear hack feature
Dec 16 2020

Russian State-Backed Cozy Bear Hacks the US Government – KNO

Find out how the hackers compromised SolarWinds an...

Read More