The report details a sophisticated APT attack targeting South Korea, utilizing spear-phishing techniques and malicious HWP files distributed through a popular Korean messenger service. The APT37 group exploited trust-based tactics, using compromised accounts to spread malware through group chats. The malicious files contained OLE objects that executed PowerShell commands and shellcode, ultimately deploying the RoKRAT malware. This file-less attack method allowed for information gathering and potential remote control of infected systems. The attackers used pCloud for data exfiltration and command-and-control communication. The report emphasizes the importance of endpoint detection and response (EDR) systems to combat such evolving threats. Author: AlienVault
Related Tags:
hwp
file-less
ole
T1588.001
spear-phishing
pcloud
RokRAT
T1059.001
T1567
Associated Indicators:
1C3BB05A03834F56B0285788D988AAE4
AAE7595FBB6534C389652DA871B9FD17
5B44285747891464C496AA477E450F10
1D736803CB8FBB910DC0150087530DE7
B42A47FC422868E0F1DF99EE3B9CBB21
1A70A013A56673F25738CF145928D0F5
1FCFEA1ED7F0DA272D37EFF49371FCF0
EBABA93172F6BCB47B1BB4A270542E98
2569E4CC739CE441F8CBEB13CC3CA51A