Recently Discovered Remote Access Tool Perpetuates MalDoc Attacks

April 6, 2017 @ 9:45 AM
| |
2 min read

A new RAT has been spotted scurrying around word processing programs. Cisco Talos recently discovered a new remote administration tool (RAT) called ROKRAT, which is specifically designed to be very hard to detect. The RAT plays off a Korean-language Microsoft Word alternative called the Hangul word processor (HWP).

Researchers determined that the RAT was involved in an overall campaign that leveraged a malicious email attachment called a MalDoc. They believed the attackers used it to try and gain complete control over the victim’s system. The phishing email purports to originate from South Korea’s Yonsei University. The email is about an upcoming fictitious Korean Reunification and North Korean Conference.

A Returning Remote Access Tool

Talos has seen these types of malicious email attachments before. But in this case, the attack contains two HWP documents, each having an embedded Encapsulated PostScript (EPS) object. Since 2013, the known vulnerability CVE-2013-0808, which is an EPS viewer buffer overflow, allowed a remote attacker to execute arbitrary code on targeted machines.

When prompted, the MalDoc will attempt to download a binary masquerading as a .JPEG file from an official Korean government website. The binary is expanded and ROKRAT is then executed.

If ROKRAT finds itself in a sandbox environment, it will simply just link to harmless sites, increasing the stealth of the overall effort. For example, the malware won’t run on Windows XP. This kind of operational security is typical of the more sophisticated RAT campaign.

Even though HWP is targeted in this phishing effort, Word could be the next mule used by the campaign, since this attack exploits an EPS vulnerability. “Anything that could embed an EPS file could be a potential (attack) vector,” Craig Williams, senior technical leader for Talos explained to Threatpost.

Increased Stealth Factor

Adding to its complex operation, ROKRAT uses Twitter, Yandex and Mediafire for command-and-control (C&C) communications and exfiltration platforms. Because these platforms are legitimately used within businesses, it’s nearly impossible to block usage to protect from a malicious remote access tool.

Making things even stealthier, all three platforms that ROKRAT communicates through use HTTPS connections. This makes it difficult for a defense program to identify patterns in the malware communications or the usage of specific tokens.

The actors behind this malware seem very interested in South Korea: HWP is widely used in the country, and the social engineering techniques are designed to fit inconspicuously into a South Korean environment. However, the novel communication methods that ROKRAT uses, as well as the vulnerability it exploits, suggest that other targets may be next.

To help combat these types of attacks, Talos suggested implementing advanced malware protection. These protections can serve as a line of defense against these hard-to-detect attacks.

Larry Loeb
Principal, PBC Enterprises

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE mag...
read more