ROKRAT is a Remote Access Trojan (RAT) and a malware family also detected as DOGcall that can take advantage of a corrupted Hangul Word Processor (HWP) document that includes an Encapsulated PostScript (EPS) gadget and can be disseminated through spear phishing, corrupted email attachments, Office documents containing macros and compromised websites. The EPS is used to exploit an established vulnerability (CVE-2013-0808), which will download ROKRAT impersonating a .jpg file. The Command and Control (C&C) servers used by ROKRAT are authentic legal websites. ROKRAT uses the Yandex & Mediafire, Twitter and cloud platforms for communication with its Command and Control servers and as escape platforms.
By using ROKRAT, the attackers can collect login data, exfiltrate information, take screenshots of the infected system, and install other software including malware onto a network. ROKRAT installs a shellcode into memory, after which it will try to erase itself from the infected system. The shellcode will be used to remove the initial stage of the code obfuscation. After the removal of the initial obfuscation, it will inject the ROKRAT's payload into the wscript.exe process, which will decode the payload. Then it will inject a decoded DLL into memory. Then ROKRAT will start doing what it is configured to doROKRAT first task is to collect data about the operating system. Then it will be the computer's user name and the FQP of the module in use. ROKRAT also can check for sandboxing and libraries, send and collect files, monitor the processes running in the system currently, checks for debugging devices and much more.
ROKRAT is another RAT that is among the threats used by the APT37 to attack computers located in South Korea and is active since 2016. Malware like ROKRAT is very sneaky, which makes its detection and removal a complicated task. This is why the removal method recommended by experts is by using an updated and trustworthy malware removal product.