RokRat Technical Analysis

This blog post comes from the RokRat Technical Analysis report. If you want to download it as a PDF click here

Executive Summary

APT37 has targeted countries such as South Korea, Japan, and other neighboring regions by distributing phishing emails that contain .lnk files disguised as PDFs to mislead users. Several files are dropped in the user directories once a user downloads and executes this .lnk file. These files then execute the payload, RokRAT, through PowerShell commands.

RokRAT, the payload executed by the .lnk files, is a powerful tool in the hands of APT37. It can remotely manage the victim system, gathering crucial information such as the username and computer name. It can also capture screenshots, record audio, and execute remote commands. These capabilities enable a range of malicious activities, including uploading and downloading files, exfiltrating data, and enumerating files and drives.

The attack vector is particularly concerning due to its sophisticated nature and the ability to maintain prolonged access to compromised systems. By leveraging these capabilities, APT37 can conduct extensive espionage and data theft operations. The malware’s multi-functional nature and deceptive phishing tactics underscore the importance of robust cybersecurity measures and user awareness to mitigate such threats.


FilenameCRS Report.lnk
FiletypeWindows shortcut
Written Language
First Seen / Detection Date2024-04-03
Initial Infection VectorPhishing e-mail
Table 1: File fingerprint
Written LanguageC/C++
First Seen / Detection Date2024-04-03
Initial Infection VectorPayload
Table 2: File fingerprint

MITRE ATTA&CK Threat Matrix

  • TA0001 Initial Access
    • T1566 Phishing
  • TA0002 Execution
    • T1059 Command and Script Interpreter
  • TA0005 Defense Evasion
    • T1027 Obfuscated Files or Information
    • T1622 Debugger Evasion
    • T1140 Deobfuscate/Decode Files or Information
    • T1070 Indicator Removal
      • T1070.004 File Deletion
    • T1497 Virtualization/Sandbox Evasion
      • T1497.001 System Checks
  • TA0007 Discovery
    • T1033 System Owner/User Discovery
    • T1057 Process Discovery
    • T1082 System Information Discovery
    • T1083 File and Directory Discovery
    • T1087 Account Discovery
  • TA0009 Collection
    • T1113 Screen Capture

Mitigation Strategies

Regularly check the %temp% and %public% directories on your system for any unusual or unauthorized files. These directories are commonly targeted by malware to store and execute malicious files. Implementing strict monitoring and cleanup routines can help identify and remove potential threats before they cause harm.

Be particularly wary of .lnk (shortcut) files disguised to look like PDF documents. Attackers often use such tactics to trick users into executing malicious code. Always verify the file extension and be suspicious of any unexpected .lnk files, especially if they arrive via email or from unknown sources.

Exercise caution when downloading and opening files from the internet, especially if the source is not verified or trustworthy.


This report presents an in-depth technical analysis of the RokRAT malware attributed to APT37. The malware exhibits a range of sophisticated features. RokRAT is particularly notable for its capacity to deeply infiltrate target systems, exfiltrate data, and perform remote command and control operations. Such malware represents a significant threat, especially to organizations with vulnerabilities in their information security.

Our examination has meticulously analyzed RokRAT’s code structure, communication protocols, and behavioral traits, offering crucial insights into its propagation mechanisms. These insights are invaluable for organizations aiming to develop more robust protective measures. The advanced stealth techniques employed by the malware highlight the need for more sensitive and enhanced alert systems.

RokRAT exemplifies the sophistication and persistence typical of Advanced Persistent Threat (APT) operations. Its architecture, which includes a multi-stage deployment with dropper and remote access trojan (RAT) components, enables it to perform initial reconnaissance and maintain undetected access to targeted systems. Its capability to execute arbitrary commands, manage files, and securely communicate with its command-and-control servers allows it to conduct a wide array of malicious activities, ranging from data theft to the delivery of secondary payloads.

This blog post comes from the RokRat Technical Analysis report. If you want to download it as a PDF click here

Share This: