RAT-Catchers Spot New Malware Attacking Word Processor of South Korea

On Monday, the latest attack posted again uses the documents of Hangul in the phishing e-mails for carrying out the payload, which is ROKRAT this time. Security researchers reported that an attack has used a govt. website which was compromised for distributing malware in the macro-laden documents for attacking the users of local language word processor known as Hangul.

Security researchers reported way back in February that an attack has used a compromised govt. website for distributing malware in the macro-laden documents for attacking the users of local language word processor known as Hangul.

The attackers tried tricking victims to make them open attachments for providing feedback to the conference organizers. The phishing emails consists of 2 HWP documents, which embed the EPS (Encapsulated PostScript) object.

The Register posted on April 5th, 2017, stating that RAT uses the Yandex, Mediafire and Twitter for data exfiltration and command-and-control, because these are "difficult to block globally" as they are the genuine business tools, and further their HTTPS use makes it difficult to spot in the firewall.

By this way, attacker can make detection of malicious traffic difficult and also leverages use of the HTTPS connectivity that has been implemented by these services.

In case the RAT finds that it has been installed on the Windows XP, then it sets itself into infinite sleep; even if it executes, then it checks the process list of the victim for seeing that whether they are running the antivirus or the analytical tools such as Wireshark.

In case any of the processes are found running on the system in this execution phase, then the malware jumps to a fake function generating dummy HTTP traffic. Moreover, it was discovered that when malware is being debugged or even the OpenProcess() function succeeded on parent process or when it wasn't executed from HWP document, the fake function also called as Talos notes.

If it has been executed in the sandbox, then the ROKRAT tries concealing itself by firing off the requests to Hulu and Amazon.

The main interest point in the infection technique of ROKRAT is it uses the old EPS exploit, CVE-2013-0808. Also, the malicious document consists of shellcode masquerading as Hangul document. Shellcode is used for triggering CVE-2013-0808 vulnerability, as well as for downloading ROKRAT RAT binary from command and control server.

» SPAMfighter News - 4/10/2017