North Korean Hackers Use ZIP Files to Deploy Malicious PowerShell Scripts

North Korean state-sponsored hackers, known as APT37 or ScarCruft, have been employing sophisticated tactics to breach systems, leveraging malicious ZIP files containing LNK files to initiate attacks.

These LNK files, often disguised as documents related to North Korean affairs or trade agreements, are distributed via phishing emails.

Once opened, they trigger a multi-stage attack involving PowerShell scripts and batch files, ultimately deploying the RokRat remote access Trojan (RAT) as the final payload.

Infection Flow and Technical Details

The infection process begins with phishing emails that appear critical, using real information from websites to enhance their credibility.

These emails contain ZIP attachments with malicious LNK files.

When executed, the LNK file checks if it’s running from System32 or Program Files and moves to the %temp% directory if necessary.

It then extracts several payloads, including a decoy HWPX document, a batch script named shark.bat, and other files like caption.dat and elephant.dat.

The shark.bat script executes PowerShell commands in a hidden window, loading and executing the elephant.dat script, which decrypts the caption.dat file using a single-byte XOR key.

This decrypted content is then executed in memory, leading to the deployment of the RokRat RAT.

RokRat is designed to gather detailed system information, including OS version, computer name, and logged-in user details.

It also captures screenshots and enumerates running processes, exfiltrating this data to command-and-control (C2) servers via cloud services like pCloud, Yandex, and Dropbox.

The malware uses these platforms’ APIs to send, download, and delete files, embedding OAuth tokens for seamless communication.

Additionally, RokRat can execute remote commands, allowing attackers to perform data exfiltration, system reconnaissance, and process termination.

Anti-Analysis Techniques and C2 Communications

To evade detection, RokRat employs anti-analysis techniques such as detecting VMware Tools to identify virtual environments and using sandbox detection methods like creating and deleting temporary files.

According to the researchers, it also checks for debuggers using IsDebuggerPresent.

The malware encrypts its communications using XOR and RSA encryption, ensuring that only the attackers can decrypt the data.

Commands from the C2 server are received in AES-CBC encrypted form, decrypted locally, and executed on the system.

These commands can include data collection, file deletion, and termination of the malware process.

The use of legitimate cloud services for C2 operations allows RokRat to blend into normal network traffic, making it challenging to detect.

This sophisticated approach highlights the evolving tactics of APT37, as they continue to adapt and expand their operations beyond traditional targets, now focusing on both Windows and Android platforms through phishing campaigns.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.