A recent cyber threat campaign has been identified where hackers are leveraging genuine academic event details to distribute malware. The operation involves sending fake documents that appear to be related to actual seminars, thereby deceiving recipients into downloading malicious software.
Phishing Campaign Targets Researchers
This campaign involves the delivery of a variant of RokRAT via a deceptive document package. The attackers have utilized information from a real academic event to make the phishing email appear legitimate, increasing the likelihood of its opening.
The emails direct recipients to an ISO file hosted in the cloud, which mimics a standard conference document download. Once opened, this file releases malware onto the user’s system. Genians, a cybersecurity firm, has reported this activity as Operation Capsule Vault, highlighting the tactic of concealing malware within what appears to be a credible document.
Detailed Analysis of the Attack Methodology
The phishing emails falsely claimed to distribute materials for the Honsan Kalma Tourism Forum, a legitimate event held in Seoul. By impersonating another organization, the hackers successfully framed the email as a customary business notification containing conference information.
Instead of a typical document, the email contained a link to a Dropbox-hosted ISO image. This image, named to resemble a seminar booklet, included a program disguised as a PDF file. When executed, it displayed an expected academic document while surreptitiously performing malicious activities in the background.
RokRAT’s Stealthy Operation
Upon execution, the malware injects the RokRAT payload into explorer.exe, a standard Windows process. This technique helps the malware remain undetected by leveraging legitimate system processes to conceal its operations.
RokRAT gathers system information and establishes cloud-based communications. It supports platforms like Dropbox, pCloud, and Yandex for command reception and data exfiltration. Capabilities of RokRAT include taking screenshots, collecting files, and executing commands from its operators.
Researchers have linked this campaign to the broader RokRAT malware family through its use of cloud services and similarities in code and tactics, suggesting a connection to the APT37 group. Organizations are advised to verify unexpected emails through official channels and monitor for unusual activities associated with ISO files and process injections.
To mitigate such threats, cybersecurity teams should focus on proactive detection and response strategies, ensuring robust email security protocols are in place to prevent potential breaches.
