April 6, 2017 By Larry Loeb 2 min read

A new RAT has been spotted scurrying around word processing programs. Cisco Talos recently discovered a new remote administration tool (RAT) called ROKRAT, which is specifically designed to be very hard to detect. The RAT plays off a Korean-language Microsoft Word alternative called the Hangul word processor (HWP).

Researchers determined that the RAT was involved in an overall campaign that leveraged a malicious email attachment called a MalDoc. They believed the attackers used it to try and gain complete control over the victim’s system. The phishing email purports to originate from South Korea’s Yonsei University. The email is about an upcoming fictitious Korean Reunification and North Korean Conference.

A Returning Remote Access Tool

Talos has seen these types of malicious email attachments before. But in this case, the attack contains two HWP documents, each having an embedded Encapsulated PostScript (EPS) object. Since 2013, the known vulnerability CVE-2013-0808, which is an EPS viewer buffer overflow, allowed a remote attacker to execute arbitrary code on targeted machines.

When prompted, the MalDoc will attempt to download a binary masquerading as a .JPEG file from an official Korean government website. The binary is expanded and ROKRAT is then executed.

If ROKRAT finds itself in a sandbox environment, it will simply just link to harmless sites, increasing the stealth of the overall effort. For example, the malware won’t run on Windows XP. This kind of operational security is typical of the more sophisticated RAT campaign.

Even though HWP is targeted in this phishing effort, Word could be the next mule used by the campaign, since this attack exploits an EPS vulnerability. “Anything that could embed an EPS file could be a potential (attack) vector,” Craig Williams, senior technical leader for Talos explained to Threatpost.

Increased Stealth Factor

Adding to its complex operation, ROKRAT uses Twitter, Yandex and Mediafire for command-and-control (C&C) communications and exfiltration platforms. Because these platforms are legitimately used within businesses, it’s nearly impossible to block usage to protect from a malicious remote access tool.

Making things even stealthier, all three platforms that ROKRAT communicates through use HTTPS connections. This makes it difficult for a defense program to identify patterns in the malware communications or the usage of specific tokens.

The actors behind this malware seem very interested in South Korea: HWP is widely used in the country, and the social engineering techniques are designed to fit inconspicuously into a South Korean environment. However, the novel communication methods that ROKRAT uses, as well as the vulnerability it exploits, suggest that other targets may be next.

To help combat these types of attacks, Talos suggested implementing advanced malware protection. These protections can serve as a line of defense against these hard-to-detect attacks.

More from

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today