APT37 - RokRat
Essential information
- Published
- 12/03/2025 11:56
- Modified
- 12/03/2025 12:25
- Tags
- 2025-03-12 cloud services lnk files north korea phishing powershell remote access trojan rokrat
- Related entities
- 9 observables, 1 intrusion sets (apt), 21 techniques (mitre), 1 malware, 3 others
Description
APT37, a North Korean state-sponsored hacking group, has expanded its operations to target users on Windows and Android platforms through phishing campaigns. The group's attack vector involves malicious LNK files distributed via group chat platforms. The infection process begins with phishing emails containing ZIP attachments that conceal malicious LNK files. When executed, these files initiate a multi-stage attack using batch scripts and PowerShell, ultimately deploying RokRat as the final payload. RokRat, a remote access Trojan, collects detailed system information, abuses cloud services for command and control, and employs anti-analysis techniques. It can execute remote commands, exfiltrate data, and perform various malicious activities on infected systems.