April 6, 2017 By Larry Loeb 2 min read

A new RAT has been spotted scurrying around word processing programs. Cisco Talos recently discovered a new remote administration tool (RAT) called ROKRAT, which is specifically designed to be very hard to detect. The RAT plays off a Korean-language Microsoft Word alternative called the Hangul word processor (HWP).

Researchers determined that the RAT was involved in an overall campaign that leveraged a malicious email attachment called a MalDoc. They believed the attackers used it to try and gain complete control over the victim’s system. The phishing email purports to originate from South Korea’s Yonsei University. The email is about an upcoming fictitious Korean Reunification and North Korean Conference.

A Returning Remote Access Tool

Talos has seen these types of malicious email attachments before. But in this case, the attack contains two HWP documents, each having an embedded Encapsulated PostScript (EPS) object. Since 2013, the known vulnerability CVE-2013-0808, which is an EPS viewer buffer overflow, allowed a remote attacker to execute arbitrary code on targeted machines.

When prompted, the MalDoc will attempt to download a binary masquerading as a .JPEG file from an official Korean government website. The binary is expanded and ROKRAT is then executed.

If ROKRAT finds itself in a sandbox environment, it will simply just link to harmless sites, increasing the stealth of the overall effort. For example, the malware won’t run on Windows XP. This kind of operational security is typical of the more sophisticated RAT campaign.

Even though HWP is targeted in this phishing effort, Word could be the next mule used by the campaign, since this attack exploits an EPS vulnerability. “Anything that could embed an EPS file could be a potential (attack) vector,” Craig Williams, senior technical leader for Talos explained to Threatpost.

Increased Stealth Factor

Adding to its complex operation, ROKRAT uses Twitter, Yandex and Mediafire for command-and-control (C&C) communications and exfiltration platforms. Because these platforms are legitimately used within businesses, it’s nearly impossible to block usage to protect from a malicious remote access tool.

Making things even stealthier, all three platforms that ROKRAT communicates through use HTTPS connections. This makes it difficult for a defense program to identify patterns in the malware communications or the usage of specific tokens.

The actors behind this malware seem very interested in South Korea: HWP is widely used in the country, and the social engineering techniques are designed to fit inconspicuously into a South Korean environment. However, the novel communication methods that ROKRAT uses, as well as the vulnerability it exploits, suggest that other targets may be next.

To help combat these types of attacks, Talos suggested implementing advanced malware protection. These protections can serve as a line of defense against these hard-to-detect attacks.

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today