Cybersecurity researchers have uncovered a classy malware marketing campaign the place risk actors are exploiting Hangul Phrase Processor (.hwp) paperwork to distribute the infamous RokRAT malware.
This marks a big shift from the malware’s conventional distribution methodology via malicious shortcut (LNK) information, demonstrating the evolving techniques of superior persistent risk teams.
The assault marketing campaign makes use of fastidiously crafted social engineering lures with doc names corresponding to “250615_Operation standing of grain retailer.hwp” and “[Notice] Q1 VAT Return Submitting Deadline (Ultimate)” to entice victims into opening malicious attachments.
Doc content material (Supply – ASEC)
These paperwork comprise seemingly reliable content material about North Korean grain distribution factors, successfully masking their malicious intent whereas constructing credibility with focused customers.
ASEC analysts recognized that the malware leverages a classy approach involving embedded OLE (Object Linking and Embedding) objects inside the HWP paperwork.
Hyperlink to execute ShallRunas.exe (Supply – ASEC)
When victims entry the doc web page containing these objects, the Hangul course of robotically creates malicious information together with ShellRunas.exe and credui.dll within the system’s short-term listing (%TEMP% path).
The assault chain concludes with victims clicking a hyperlink labeled “[Appendix] Reference Supplies.docx” on the doc’s backside, triggering a safety warning that prompts execution of the embedded malware parts.
DLL Facet-Loading Assault Mechanism
The malware employs a classy DLL side-loading techniqueables to bypass safety controls.
Shellcode inserted into the picture (Supply – ASEC)
The first assault vector makes use of ShellRunas.exe, a reliable Home windows utility, which robotically masses the malicious credui.dll from the identical listing path.
Authentic Program: ShellRunas.exe (Microsoft-signed)
Malicious Payload: credui.dll (loaded by way of DLL side-loading)
Ultimate Stage: Downloads Father.jpg containing RokRAT shellcode
This method permits risk actors to execute malicious code whereas showing to make use of trusted system parts, considerably complicating detection efforts and enabling the deployment of RokRAT’s complete knowledge assortment capabilities.
Increase detection, scale back alert fatigue, speed up response; all with an interactive sandbox constructed for safety groups -> Attempt ANY.RUN Now
