{
	"id": "0e35a927-f51e-460f-bc6d-38a2c2edcdcc",
	"created_at": "2026-04-06T00:10:06.736989Z",
	"updated_at": "2026-04-10T13:11:20.122471Z",
	"deleted_at": null,
	"sha1_hash": "8aa2bca013b0f5aef17ad14fe11df96c7992d5c6",
	"title": "Introducing ROKRAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1123759,
	"plain_text": "Introducing ROKRAT\r\nBy Paul Rascagneres\r\nPublished: 2017-04-03 · Archived: 2026-04-05 20:48:59 UTC\r\nThis blog was authored by Warren Mercer and Paul Rascagneres with contributions from Matthew Molyett.\r\nExecutive Summary\r\nA few weeks ago, Talos published research on a Korean MalDoc. As we previously discussed this\r\nactor is quick to cover their tracks and very quickly cleaned up their compromised hosts. We\r\nbelieve the compromised infrastructure was live for a mere matter of hours during any campaign.\r\nWe identified a new campaign, again leveraging a malicious Hangul Word Processor (HWP)\r\ndocument. After analyzing the final payload, we determined the winner was… a Remote\r\nAdministration Tool, which we have named ROKRAT.\r\nLike in the previous post, the campaign started with a spear phishing email containing a malicious attachment, the\r\nHWP document. One of the identified emails was sent from the email server of Yonsei, a private university in\r\nSeoul. The address used in the email was 'kgf2016@yonsei.ac.kr' which is the contact email of the Korea Global\r\nForum where the slogan in 2016 was \"Peace and Unification of the Korean Peninsula\". This fact gives more credit\r\nand legitimacy to the email.\r\nThe HWP document contained an embedded Encapsulated PostScript (EPS) object. As with our previous\r\npublication this again is zlib compressed and trivial to obtain. The purpose of the EPS is to exploit a well-known\r\nvulnerability (CVE-2013-0808) to download a binary disguised as a .jpg file. This file is decoded and finally an\r\nexecutable is launched: ROKRAT. This RAT has the added complexity that the command and control servers are\r\nlegitimate websites. The malware uses Twitter and two cloud platforms, Yandex and Mediafire, apparently for\r\nboth C2 communications and exfiltration platforms. Unfortunately, these platforms are difficult to block globally\r\nwithin organizations as their use can be viewed as legitimate in most cases. Additionally, these 3 platforms all\r\nmake use of HTTPS connectivity, making it much more difficult to identify specific patterns or the usage of\r\nspecific tokens.\r\nSpear Phishing Campaign\r\nBelow are examples of the emails used against victims in South Korea\r\nhttps://blog.talosintelligence.com/2017/04/introducing-rokrat.html\r\nPage 1 of 15\n\nThe first email we discovered was the most interesting. In this first sample, we observed the attackers praising the\r\nuser for accepting to join a panel relating to the \"Korean Reunification and North Korean Conference\". The text in\r\nthe email explains that the receiver should complete the document to provide necessary feedback. However, this\r\nappears to be a fake conference. The closest match we identified to any Unification conference was held in\r\nJanuary 2017, which was the NYDA Reunification conference. The sender is 'kgf2016@yonsei.ac.kr' which is the\r\ncontact email of the Korea Global Forum.\r\nWhen we analyzed the email headers we were able to determine the Sender IP was 165.132.10.103. With a little\r\nmagic from our friend 'nslookup' we quickly determined this to be part of the Yonsei University network, the\r\nSMTP server in fact. We believe that the email address was compromised and abused by the attackers to send the\r\nemail used in this campaign.\r\nThe sample filename translates as 'Unification North Korea Conference _ Examination Documents' which\r\nreinforces the text in the email about the reunification conference. For an added bonus the attacker even suggests\r\nin the email people who completed the document would get paid a 'small fee'. Perhaps the gift of embedded\r\nmalware is the payment.\r\nhttps://blog.talosintelligence.com/2017/04/introducing-rokrat.html\r\nPage 2 of 15\n\nThe second email Talos analyzed had less effort applied. The email was from a free Korean mail service provided\r\nby Daum, Hanmail, showing there was no attempt at trying to appear to be from an official body or person\r\ncompared with the previous email. The subject was merely 'Request Help' while the attachment filename was 'I'm\r\na munchon person in Gangwon-do, North Korea'. We suspect the attacker is hoping the victim will feel empathetic\r\ntoward the sender as the Kangwon Province (where Munch'ŏn is located) was previously part of South Korea. The\r\nattachment contains a story about a person called 'Ewing Kim' who is looking for help.\r\nThe email's attachments are two different HWP documents both leveraging same vulnerability, CVE-2013-0808.\r\nMalicious HWP Document\r\nAn HWP document is composed by OLE objects. In our case, it contains an EPS object named\r\nBIN0001.eps. As with all HWP documents the information is zlib compressed so you must\r\ndecompress the .eps to get the true shellcode.\r\nhttps://blog.talosintelligence.com/2017/04/introducing-rokrat.html\r\nPage 3 of 15\n\nThe shellcode used to exploit the CVE-2013-0808 can be identified in the EPS object:\r\nAn interesting thing is that the shellcode does not start with a 'normal' NOP sled using 0x90 but with 0x0404 (add\r\nal, 0x4):\r\nuser@lnx$ rasm2 -d 0404040404040404040490909090909090909090E8000000005E\r\nadd al, 0x4\r\nadd al, 0x4\r\nadd al, 0x4\r\nadd al, 0x4\r\nadd al, 0x4\r\nnop\r\nnop\r\nnop\r\nnop\r\nnop\r\nnop\r\nnop\r\nnop\r\nnop\r\nnop\r\ncall 0x19\r\npop esi\r\nThe purpose of the shellcode embedded in the 2 HWP documents is to download and to decode a payload\r\navailable on the Internet. Once decoded, the file (a PE32) is executed. Here is the extracted URL which the\r\ndocument attempts to download the .jpg from:\r\nhttps://blog.talosintelligence.com/2017/04/introducing-rokrat.html\r\nPage 4 of 15\n\nSHA256: 7d163e36f47ec56c9fe08d758a0770f1778fa30af68f39aac80441a3f037761e\r\nFilename: 통일북한학술대회_심사서류.hwp (\"North Korea Conference _ Examination Documents\")\r\nURL: http://discgolfglow[.]com:/wp-content/plugins/maintenance/images/worker.jpg\r\nSHA256: 5441f45df22af63498c63a49aae82065086964f9067cfa75987951831017bd4f\r\nFilename: 저는요 북조선 강원도 문천 사람이에요.hwp (\"I'm a munchon person from Gangwon Province in\r\nNorth Korea.\")\r\nURL: http://acddesigns[.]com[.]au/clients/ACPRCM/kingstone.jpg\r\nhttps://blog.talosintelligence.com/2017/04/introducing-rokrat.html\r\nPage 5 of 15\n\nROKRAT Analysis\r\nThe RAT downloaded by the 2 HWP documents belong to the same family. The main difference\r\nbetween the samples are the Command and Control capabilities. One of the samples analyzed\r\nonly uses Twitter to interact with the RAT, while the second one additionally uses the cloud\r\nplatforms: Yandex and Mediafire. The Twitter tokens we were able to extract are the same in both\r\nvariants. There is obvious ongoing effort to add features to this RAT to allow for more\r\nsophisticated levels of attacks.\r\nAnalysis Frustrations!\r\nThe ROKRAT author implements several techniques typically seen to frustrate human analysts\r\nand avoid sandbox execution.\r\nFirst, the malware does not run on Windows XP systems. It uses the GetVersion() API to get the OS version. If the\r\nMajorVersion is 5 (corresponding to Windows XP or Windows Server 2003), the malware executes an infinite\r\nloop of sleep:\r\nhttps://blog.talosintelligence.com/2017/04/introducing-rokrat.html\r\nPage 6 of 15\n\nAdditionally, the malware checks the current running processes in order to identify tools usually used by malware\r\nanalysts or within sandbox environments. The code used to perform this task:\r\nThe malware checks the process names in use on the victim machine. It compares if the executed process name\r\nmatches a partial name hardcoded in the sample. Here is the complete list:\r\nhttps://blog.talosintelligence.com/2017/04/introducing-rokrat.html\r\nPage 7 of 15\n\n\"mtool\" for VMWare Tools\r\n\"llyd\" for OllyDBG\r\n\"ython\" for Python (used by Cuckoo Sandbox for example)\r\n\"ilemo\" for File Monitor\r\n\"egmon\" for Registry Monitor\r\n\"peid\" for PEiD\r\n\"rocex\" for Process Explorer\r\n\"vbox\" for VirtualBox\r\n\"iddler\" for Fiddler\r\n\"ortmo\" for Portmon\r\n\"iresha\" for Wireshark\r\n\"rocmo\" for Process Monitor\r\n\"utoru\" for Autoruns\r\n\"cpvie\" for TCPView\r\nIf any of these processes are discovered running on the system during this phase of execution, the malware jumps\r\nto a fake function which generates dummy HTTP traffic. Additionally we discovered that if the malware is being\r\ndebugged or if it was not executed from the HWP document (i.e. double clicking the binary) or if the\r\nOpenProcess() function succeed on the parent process, the fake function is also called.\r\nThe purpose of this appears to be to generate network traffic to provide some level of feedback/discovery during\r\nany dynamic analysis research. This could generate a seemingly 'good' indicator of compromise when in fact it is\r\nmerely fake traffic generated. The fake function performs connections to the following URLs:\r\nhttps://www[.]amazon[.]com/Men-War-PC/dp/B001QZGVEC/EsoftTeam/watchcom.jpg\r\nhttp://www[.]hulu[.]com/watch/559035/episode3.mp4\r\nThe Amazon URL displays a WWII game called 'Men of War' whilst the Hulu URL attempts to stream a Japanese\r\nanime show called 'Golden Time'\r\nhttps://blog.talosintelligence.com/2017/04/introducing-rokrat.html\r\nPage 8 of 15\n\nThese URLs are not malicious. The malware pretends to navigate these locations. The files do not exist during the\r\ninvestigation and were downloaded only if a malware analyst tool is running on the system. We believe these\r\nURLs are used to attempt to trick any analysis.\r\nC\u0026C Infrastructure\r\nROKRAT uses a legitimate platform in order to communicate, receive orders and exfiltrate\r\ndocuments. In total, we identified 12 hardcoded tokens used to communicate to these legitimate\r\nplatforms, all via their public APIs.\r\nCC #1: Twitter:\r\nThe first CC discovered is Twitter. We identified 7 different Twitter API tokens hardcoded in the\r\nsample (Consumer Key + Consumer Secret + Token + Token Secret). The malware is able to get\r\norders by checking the last message on the Twitter timeline. The order can be either execute\r\ncommands, move a file, remove a file, kill a process, download and execute a file. The RAT is able\r\nto tweet also. The sent data is randomly prefixed by one following 3 characters hardcoded word:\r\nSHA-TOM-BRN-JMS-ROC-JAN-PED-JHN-KIM-LEE-To perform these tasks, the malware uses the official Twitter API:\r\nhttps://blog.talosintelligence.com/2017/04/introducing-rokrat.html\r\nPage 9 of 15\n\nCC #2: Yandex:\r\nThe second CC is Yandex and more specifically the Yandex cloud platform. This platform allows\r\nthe creation of disks in the Yandex cloud. Concerning this CC, we identified 4 Yandex tokens\r\nhardcoded in the sample. The API is used to download and execute files or to upload stolen\r\ndocuments. The exfiltrated documents are uploaded to :\r\ndisk:/12ABCDEF/Document/Doc20170330120000.tfs\r\nWhere \"12ABCDEF\" is a random hexadecimal ID to identify the target and Doc20170330120000 contains the\r\ndate.\r\nhttps://blog.talosintelligence.com/2017/04/introducing-rokrat.html\r\nPage 10 of 15\n\nCC #3: Mediafire:\r\nThe last cloud platform used by the Remote Administration Tool is Mediafire. This website is used\r\nin the same way as Yandex, the purpose is to use the file storage provided by Mediafire in order to\r\ndownload and execute files or to upload stolen information:\r\nIn this case, the malware author hardcoded one account in the sample (email / password / application ID).\r\nAdditional Features: Screenshots Capture \u0026 Keylogger\r\nAdditionally, one of the samples is able to capture screenshots of the infected system. To perform this task,\r\nthe developer used the GDI API:\r\nhttps://blog.talosintelligence.com/2017/04/introducing-rokrat.html\r\nPage 11 of 15\n\nA keylogger is also present in the analyzed sample. The SetWindowsHookEx() API is used to retrieve the stroked\r\nkeys. The GetKeyNameText() API is used to retrieve a string that represents the name of a key. In addition to the\r\nkey, the title of the foreground window is stored in order to known where the infected user is typing (by using the\r\nGetForegroundWindow() and GetWindowText() API).\r\nConclusion\r\nThis campaign shows us a motivated malware actor. The usage of HWP (an application mainly\r\nhttps://blog.talosintelligence.com/2017/04/introducing-rokrat.html\r\nPage 12 of 15\n\nused in Korea) and the fact that emails and documents are perfectly written in Korean suggests\r\nthat the author is a native Korean speaker.\r\nThe RAT used during this campaign was innovative, using novel communication channels. ROKRAT uses Twitter\r\nand two cloud platforms (Yandex and Mediafire) in order to give orders, send files, and get files. This\r\ncommunication channel is extremely hard to contain because organizations often have legitimate uses of these\r\nplatforms. The malware includes exotic features such as the fact that it performs requests to legitimate websites\r\n(Amazon and Hulu) if the sample is executed in a sandbox or if a malware analyst tool is used. We assume the\r\ngoal is to generate incorrect reports and IOC.\r\nThis investigation shows us once again that South Korean interests sophisticated threat actors. In this specific\r\ncase, the actor compromised a legitimate email address of a big forum organized by a university in Seoul in order\r\nto forge the spear phishing email which increased the chance of success. And we know that it was a success,\r\nduring the writing of the article we identified infected systems communicating with the command \u0026 control\r\npreviously mentioned.\r\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCWS orWSA web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nThe Network Security protection ofIPS andNGFW have up-to-date signatures to detect malicious network activity\r\nby threat actors.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network\r\nhttps://blog.talosintelligence.com/2017/04/introducing-rokrat.html\r\nPage 13 of 15\n\nIOCs\r\nFiles hashes HWP Documents:\r\n7d163e36f47ec56c9fe08d758a0770f1778fa30af68f39aac80441a3f037761e\r\n5441f45df22af63498c63a49aae82065086964f9067cfa75987951831017bd4f  ROKRAT PE32:\r\ncd166565ce09ef410c5bba40bad0b49441af6cfb48772e7e4a9de3d646b4851c\r\n051463a14767c6477b6dacd639f30a8a5b9e126ff31532b58fc29c8364604d00\r\nNetworks Malicious URLs:\r\nhttp://discgolfglow[.]com/wp-content/plugins/maintenance/images/worker.jpg\r\nhttp://acddesigns[.]com[.]au/clients/ACPRCM/kingstone.jpg\r\nNot malicious URLs but could be use to identify RAT execution:\r\nhttps://www[.]amazon[.]com/Men-War-PC/dp/B001QZGVEC/EsoftTeam/watchcom.jpg\r\nhttp://www[.]hulu[.]com/watch/559035/episode3.mp4\r\nTokens\r\nMediafire Account #1\r\nUsername: ksy182824@gmail.com\r\nApplication ID: 81342\r\nTwitter Account #1\r\nConsumer key: sOPcUKjJteYrg8klXC4XUlk9l\r\nToken: 722226174008315904-u6P1FlI7IDg8VIYe720X0gqDYcAMQAR\r\nAccount #2\r\nConsumer key: sgpalyF1KukVKaPAePb3EGeMT\r\nToken: 759577633630593029-CQzXMfvsQ2RztFYawUPeVbAzcSnwllX\r\nAccount #3\r\nConsumer key: XVvauoXKfnAUm2qdR1nNEZqkN\r\nToken: 752302142474051585-r2TH1Dk8tU5TetUyfnw9c5OgA1popTj\r\nAccount #4\r\nConsumer key: U1AoCSLLHxfeDbtxRXVgj7y00\r\nToken: 779546496603561984-Qm8CknTvS4nKxWOB4tJvbtBUMBfNCKE\r\nAccount #5\r\nConsumer key: 9ndXAB6UcxhQVoBAkEKnwzt4C\r\nToken: 777852155245080576-H0kXYcQCpV6qiFER38h3wS1tBFdROcQ\r\nAccount #6\r\nConsumer key: QCDXTaOCPBQM4VZigrRj2CnJi\r\nToken: 775849572124307457-4ICTjYmOfAy5MX2FxUHVdUfqeNTYYqj\r\nhttps://blog.talosintelligence.com/2017/04/introducing-rokrat.html\r\nPage 14 of 15\n\nAccount #7\r\nConsumer key: 2DQ8GqKhDWp55XIl77Es9oFRV\r\nToken: 778855419785154560-0YUVZtZjKblo2gTGWKiNF67ROwS9MMq\r\nYandex Token #1: AQAAAAAYm4qtAANss-XFfX3FjU8VmVR76k4aMA0\r\nToken #2: AQAAAAAA8uDKAANxExojbqps-UOIi8kc8EAhcq8\r\nToken #3: AQAAAAAY9j8KAANyULDuYU1240rjvpNXcRdF5Tw\r\nToken #4: AQAAAAAZDPB1AAN6l1Ht3ctALU1flix57TvuMa4\r\nSource: https://blog.talosintelligence.com/2017/04/introducing-rokrat.html\r\nhttps://blog.talosintelligence.com/2017/04/introducing-rokrat.html\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/2017/04/introducing-rokrat.html"
	],
	"report_names": [
		"introducing-rokrat.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434206,
	"ts_updated_at": 1775826680,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8aa2bca013b0f5aef17ad14fe11df96c7992d5c6.pdf",
		"text": "https://archive.orkl.eu/8aa2bca013b0f5aef17ad14fe11df96c7992d5c6.txt",
		"img": "https://archive.orkl.eu/8aa2bca013b0f5aef17ad14fe11df96c7992d5c6.jpg"
	}
}