"The digital missive contains a ZIP archive attachment that contains a Windows shortcut (LNK) masquerading as a PDF document, which, when opened, launches the newsletter as a decoy while dropping RokRAT on the infected host. RokRAT is a known malware associated with APT37, with the tool capable of collecting system information, executing arbitrary commands, enumerating the file system, capturing screenshots, and downloading additional payloads. The gathered data is exfiltrated via Dropbox, Google Cloud, pCloud, and Yandex Cloud."
"Seqrite said it detected a second campaign in which the LNK file serves as a conduit for a PowerShell script that, besides dropping a decoy Microsoft Word document, runs an obfuscated Windows batch script that's responsible for deploying a dropper. The binary then runs a next-stage payload to steal sensitive data from the compromised host while concealing network traffic as a Chrome file upload."
Security researchers identified a spear-phishing campaign codenamed Operation HanKook Phantom that uses newsletter lures to deliver RokRAT. Targets include individuals associated with the National Intelligence Research Association, such as academics, former officials, and researchers. Initial emails carry a ZIP with a Windows shortcut (LNK) masquerading as a PDF that launches a decoy while installing RokRAT. RokRAT can collect system information, run commands, enumerate files, capture screenshots, and download additional payloads, exfiltrating data via multiple cloud services. A second variant uses PowerShell and an obfuscated batch script to deploy a dropper and hide traffic as a Chrome file upload. The operation aims to steal sensitive information, establish persistence, and conduct espionage.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]