According to reports, last December, security researchers have identified a malicious document that executes a macro in memory when it is opened. The role of this document is to install the RokRat Trojan remote access tool (RAT) without being noticed.
The malicious file includes an embedded macro that uses a technique for self-decoding known as VBA to decrypt itself without being written on the disk. A version of the RokRat Trojan is then embedded in Notepad, according to what the researchers explain.
The APT37 hacking group that is believed to stay behind the RokRat distribution is recognized for its attacks on public and private companies, particularly in South Korea. Some of its targets include manufacturing, healthcare, automotive, aerospace, and electronics entities. It is suspected that the hacking group is operating at least since 2012 and, through the years, its reach has expanded in countries like Japan, Vietnam, Russia, Nepal, China, India, some countries in the Middle East, and even Romania.
In their previous attacks, the hackers from this group have used malware-laced Hangul Word Processor (HWP) documents. However, in this new spear-fishing operation against South Korea, the usage of self-decoding VBA Office files to distribute RokRat shows a shift in APT37’s tactics.
The malicious document has been uploaded to VirusTotal’s database in December and it appears that it pretended to be a meeting request dated 23 January 2020.
One of the macro tasks contained in the file is inserting a shell-code to a Notepad.exe process that downloads the RokRat payload from a Google Drive URL in encrypted form.
RokRat, first reported officially by Cisco Talos in 2017, is a malware of choice for APT37 and has been used by the hacking for many campaigns since 2016. Operating as a Windows-based backdoor that is spreading through Trojan documents RokRat can take snapshots, log keystrokes, avoid analyzes of anti-virus detection tools and take advantage of cloud storage APIs such as, Dropbox, Yandex, and more.
As part of an intelligence-gathering operation against the investment and trading firms in Vietnam and Russia and a diplomatic agency headquartered in Hong Kong, the cloud-based remote access tool RokRat received additional features in 2019 to steal Bluetooth device details.
According to researchers, the usage of Microsoft Office documents infected with self-decoding macro is a clever technique for malware distribution that can remain under the radar of static detection mechanisms and can successfully conceal the main intent of a malware-infected document.