{"Event":{"info":"OSINT - Introducing ROKRAT","Tag":[{"colour":"#ffffff","exportable":true,"name":"tlp:white"},{"colour":"#00223b","exportable":true,"name":"osint:source-type=\"blog-post\""},{"colour":"#0088cc","exportable":true,"name":"misp-galaxy:rat=\"rokrat\""}],"publish_timestamp":"1491334593","timestamp":"1511874210","analysis":"2","Attribute":[{"comment":"","category":"External analysis","uuid":"58e3f463-21ac-4f6a-adc1-4e36950d210f","timestamp":"1491334504","to_ids":false,"value":"http://blog.talosintelligence.com/2017/04/introducing-rokrat.html","Tag":[{"colour":"#00223b","exportable":true,"name":"osint:source-type=\"blog-post\""}],"disable_correlation":false,"object_relation":null,"type":"link"},{"comment":"","category":"External analysis","uuid":"58e3f472-01f8-4f87-a9d4-44e7950d210f","timestamp":"1491334504","to_ids":false,"value":"A few weeks ago, Talos published research on a Korean MalDoc. As we previously discussed this actor is quick to cover their tracks and very quickly cleaned up their compromised hosts. We believe the compromised infrastructure was live for a mere matter of hours during any campaign. We identified a new campaign, again leveraging a malicious Hangul Word Processor (HWP) document. After analyzing the final payload, we determined the winner was\u2026 a Remote Administration Tool, which we have named ROKRAT.\r\n\r\nLike in the previous post, the campaign started with a spear phishing email containing a malicious attachment, the HWP document. One of the identified emails was sent from the email server of Yonsei, a private university in Seoul. The address used in the email was 'kgf2016@yonsei.ac.kr' which is the contact email of the Korea Global Forum where the slogan in 2016 was \"Peace and Unification of the Korean Peninsula\". This fact gives more credit and legitimacy to the email.\r\n\r\nThe HWP document contained an embedded Encapsulated PostScript (EPS) object. As with our previous publication this again is zlib compressed and trivial to obtain. The purpose of the EPS is to exploit a well-known vulnerability (CVE-2013-0808) to download a binary disguised as a .jpg file. This file is decoded and finally an executable is launched: ROKRAT. This RAT has the added complexity that the command and control servers are legitimate websites. The malware uses Twitter and two cloud platforms, Yandex and Mediafire, apparently for both C2 communications and exfiltration platforms. Unfortunately, these platforms are difficult to block globally within organizations as their use can be viewed as legitimate in most cases. Additionally, these 3 platforms all make use of HTTPS connectivity, making it much more difficult to identify specific patterns or the usage of specific tokens.","Tag":[{"colour":"#00223b","exportable":true,"name":"osint:source-type=\"blog-post\""}],"disable_correlation":false,"object_relation":null,"type":"text"},{"comment":"HWP Documents","category":"Payload delivery","uuid":"58e3f4b1-0674-48ec-8197-dbe7950d210f","timestamp":"1491334504","to_ids":true,"value":"7d163e36f47ec56c9fe08d758a0770f1778fa30af68f39aac80441a3f037761e","disable_correlation":false,"object_relation":null,"type":"sha256"},{"comment":"HWP Documents","category":"Payload delivery","uuid":"58e3f4b2-5594-45b7-a9ce-dbe7950d210f","timestamp":"1491334504","to_ids":true,"value":"5441f45df22af63498c63a49aae82065086964f9067cfa75987951831017bd4f","disable_correlation":false,"object_relation":null,"type":"sha256"},{"comment":"ROKRAT PE32","category":"Payload delivery","uuid":"58e3f4c0-e40c-4d59-a481-4977950d210f","timestamp":"1491334504","to_ids":true,"value":"cd166565ce09ef410c5bba40bad0b49441af6cfb48772e7e4a9de3d646b4851c","disable_correlation":false,"object_relation":null,"type":"sha256"},{"comment":"ROKRAT PE32","category":"Payload delivery","uuid":"58e3f4c1-d2cc-4220-a25b-4557950d210f","timestamp":"1491334504","to_ids":true,"value":"051463a14767c6477b6dacd639f30a8a5b9e126ff31532b
