1. Home
  2. Software
  3. ROKRAT

ROKRAT

ROKRAT is a cloud-based remote access tool (RAT) used by APT37. This software has been used to target victims in South Korea. APT37 used ROKRAT during several campaigns in 2016 through 2018. [1] [2]

ID: S0240
Type: MALWARE
Platforms: Windows
Version: 2.2
Created: 17 October 2018
Last Modified: 23 November 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

ROKRAT use HTTPS for all command and control communication methods.[1][3]
Enterprise T1123 Audio Capture

ROKRAT has a audio capture and eavesdropping module.[4]
Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

ROKRAT steals credentials stored in Web browsers by querying the sqlite database.[2]
.004 Credentials from Password Stores: Windows Credential Manager

ROKRAT steals credentials by leveraging the Windows Vault mechanism.[2]
Enterprise T1005 Data from Local System

ROKRAT can request to upload collected host data and additional files.[3]
Enterprise T1041 Exfiltration Over C2 Channel

ROKRAT sends collected files back over same C2 channel.[1]
Enterprise T1083 File and Directory Discovery

ROKRAT has the ability to gather a list of files and directories on the infected system.[4][3]
Enterprise T1070 .004 Indicator Removal on Host: File Deletion

ROKRAT can request to delete files.[3]

Enterprise T1105 Ingress Tool Transfer

ROKRAT retrieves additional malicious payloads from the C2 server.[1][3]
Enterprise T1056 .001 Input Capture: Keylogging

ROKRAT uses a keylogger to capture keystrokes and location of where the user is typing.[1]
Enterprise T1057 Process Discovery

ROKRAT lists the current running processes on the system.[1][3]
Enterprise T1012 Query Registry

ROKRAT accesses the HKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosData Registry key to obtain the System manufacturer value to identify the machine type.[2]
Enterprise T1113 Screen Capture

ROKRAT captures screenshots of the infected system using the gdi32 library.[1][5][4][3]
Enterprise T1518 .001 Software Discovery: Security Software Discovery

ROKRAT checks for debugging tools.[2][3]
Enterprise T1082 System Information Discovery

ROKRAT gathers the computer name and checks the OS version to ensure it doesn’t run on a Windows XP or Windows Server 2003 systems.[1][5][4][3]
Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

ROKRAT checks for sandboxing libraries.[2][3]
Enterprise T1102 .002 Web Service: Bidirectional Communication

ROKRAT leverages legitimate social networking sites and cloud platforms (Twitter, Yandex, and Mediafire) for C2 communications.[1][4]

Groups That Use This Software

ID Name References
G0067 APT37

[2][4]

References

  1. Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.
  2. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  3. Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020.
  1. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
  2. Mercer, W., Rascagneres, P. (2017, November 28). ROKRAT Reloaded. Retrieved May 21, 2018.