π¨βπ» North Korean Malware Analysis π¨ ROKRAT KillChain π‘
0π₯ Learn How North Korea infects victims
π¨βπ» Buy Our Courses: https://guidedhacking.com/register/
π Visit Checkpoint: https://research.checkpoint.com/2023/...
π° Donate on Patreon: Β Β /Β guidedhackingΒ Β
β€οΈ Follow us on Social Media: https://linktr.ee/guidedhacking
π GH Article Link: https://guidedhacking.com/threads/nor...
π North Korean Malware Video Description:
In this walkthrough, we will analyze a North Korean malware campaign targeting individuals in South Korea. This coverage was inspired by a blog recently released by Checkpoint Research they outline many of these different lures which then drops the ROKRAT malware which is a signature of North Korean attacks.
Some of the different lures used by North Korea look to be political outlines of different plannings or statuses of laws. The infection lure that we'll be taking a look at in this video starts with a zip file. We will focus on the techniques used, from the initial ZIP file to the PowerShell stage.
Upon opening the zip file, we find four files: two PDFs, one DOCX file, and a shortcut file (LNK file). These files are used to create graphical references to a file located in a different part of the user's computer. The LNK file can execute code depending on the added arguments.
North Korean Malware Reverse Engineering
When hovering over the LNK file, we find that it points towards the CMD.exe. As we continue our malware analysis, we notice that checking the properties of the LNK file changes its file size. Instead of manually relying on Windows to analyze the file, we use LECmd for the analysis.
Our malware analysis with LECmd reveals a PowerShell command that decodes some data. This decoded data is then written into both a PDF file, which is opened, and a BAT file, which is executed. When the LNK file is executed, no window is shown, and the PDF opens while the BAT file runs in the background.
The BAT file further decodes some text and executes it in PowerShell. This code downloads and executes the ROKRAT malware from a OneDrive link. North Korean APT.
North Korean malware presents a serious threat in the global cyber landscape. A notable example is the RokRat malware, attributed to the DPRK's Advanced Persistent Threat (APT) groups. The RokRat virus is a well-crafted tool for cyber-espionage, capable of stealing information and maintaining a covert presence on infected systems.
RokRat malware analysis reveals its sophistication. It employs multiple anti-analysis techniques, making detection and remediation challenging. RokRat can also utilize multiple communication methods to relay stolen information back to the threat actors, including popular cloud platforms, minimizing suspicious network traffic.
As part of the North Korean APT arsenal, RokRat aligns with the nation's larger cyber operations strategy. The DPRK's cyber efforts typically aim at espionage, sabotage, or financial gain, taking advantage of the anonymity and broad reach of digital spaces. Understanding and countering threats like RokRat is a priority in modern cybersecurity, requiring continual vigilance, and comprehensive threat intelligence
Despite international efforts to deter North Korean cyber activities, the DPRK malware threat persists. The consistent evolution and adaptation of tools like RokRat underscores the significance of ongoing research and defense strategy refinement in the fight against state-sponsored cyber threats
Fr3dhk, known in cybersecurity circles as a proficient malware analyst, has made substantial contributions to the understanding of various malware types. Leveraging his expertise, he meticulously dissects malicious software, revealing their inner workings and methodologies, which are then used to improve defense strategies and systems.
GuidedHacking.com serves as an essential resource in the cybersecurity and ethical hacking community, hosting tutorials, discussions, and tools beneficial for both novices and experienced individuals. It emphasizes teaching how to understand and create hacks, promoting a learning culture that goes beyond just using ready-made exploits.
A platform like GuidedHacking.com lets you learn learn new strategies and improve their techniques, but also to guide others.
Given the evolving landscape of cyber threats, it's through the concerted efforts of platforms like GuidedHacking.com, that the cybersecurity community continues to stay ahead of threat actors, identifying vulns, and developing robust solutions to ensure security.
π Timestamps:
0:00 Checkpoint Research
1:02 Analyzing the ZIP File
2:27 Analyzing the LNK File
3:36 Decoding the Arguments
4:37 Join GuidedHacking.com
5:04 Extracting & Analyzing BAT File
7:12 Decrypting Encoded Data
8:35 Loading Next Stage
9:01 Outro & Resources
βοΈ Tags:
North Korean Malware
#malwareanalysis
DPRK cyber
#fr3dhk
North Korean cyber
#reverseengineering
DPRK malware
North Korean hacking