Redazione RHC : 4 August 2025 20:09
Specialists at the Genians Security Center have discovered an improved version of the RoKRAT malware, associated with the North Korean APT37 group. The new version is distinguished by an unusual way of hiding the malicious code: within the body of ordinary JPEG images. This approach allows it to bypass traditional antivirus systems, since the malicious functionality is not written directly to disk, but is extracted into RAM.
The initial infection begins with the launch of a malicious .LNK link contained in a ZIP archive. An example is an archive called “National Intelligence and Counterintelligence Manuscript.zip”. Its structure includes a large (over 50 MB) .LNK file containing decoy documents and encrypted components: shellcode (ttf01.dat), PowerShell scripts (ttf02.dat), and batch files (ttf03.bat).
When the file is executed, PowerShell is triggered, using a single-byte XOR with the key 0x33, decrypting the 32-bit shellcode. The next step involves injecting a second layer of encrypted code, which is decrypted at offset 0x590 using the key 0xAE. This creates an executable file containing references to debugging information, such as the path “D:WorkUtilInjectShellcodeReleaseInjectShellcode.pdb”.
The decrypted fragment is then injected into legitimate Windows processes such as “mspaint.exe” or “notepad.exe” located in the SysWOW64 directory. This procedure creates virtual memory into which blocks of data of approximately 892,928 bytes are written. These are decrypted again using XOR, this time with the key 0xD6. At this point, the main part of RoKRAT is activated.
The file is not saved to disk, making post-infection analysis much more difficult. Signs of APT37 affiliation include file timestamps, such as April 21, 2025, 00:39:59 UTC, and unique constructs such as “-wwjaughalvncjwiajs-“.
The significant innovation is the use of steganography. The malicious RoKRAT loader is embedded in a JPEG image, such as “Father.jpg,” hosted on Dropbox. This file retains a valid Exif header, but starting at offset 0x4201 it contains an encoded shellcode. To extract it, a double XOR transformation is used: first with the 0xAA key, then with 0x29. RoKRAT is then loaded directly into memory and executed without leaving a trace on the file system.
To launch the malicious DLL file, sideloading techniques are used via Legitimate utilities, such as ShellRunas.exe or AccessEnum.exe, embedded in HWP documents. Downloads are made from cloud platforms, including Dropbox, pCloud, and Yandex.Disk, using expired APIs and access tokens, such as: “hFkFeKn8jJIAAAAAAAAAAZr14zutJmQzoOx-g5k9SV9vy7phb9QiNCIEO7SAp1Ch”.
In addition to collecting system information and documents, RoKRAT takes screenshots and sends them to external servers. The latest samples, dated July 2025, are distributed via shortcuts such as “Academy Operation for Successful Resettlement of North Korean Defectors in South Korea.lnk”. These versions already use “notepad.exe” as the target process for injection, and new paths such as “D:WorkWeapon” are specified within the code, indicating the toolkit’s ongoing refinement.
Endpoint detection and response (EDR) systems play an important role in protecting against such attacks. These solutions monitor for unusual activity, including code injections and network connections to cloud APIs. Visualization via EDR allows you to reconstruct the entire attack chain, from LNK initiation to data transmission to the command server, as well as quickly isolate the threat using the MITRE ATT&CK methodology.
With APT groups’ increasingly sophisticated methods based on file denial and covert data transfer, it’s clear that traditional signature-based defenses are no longer sufficient, especially when targeting Windows systems in South Korea and other countries in the region.
Redazione