APT37’s Steganographic RoKRAT Malware Strikes Cloud Services – Crypto Sector at Risk
The post APT37’s Steganographic RoKRAT Malware Strikes Cloud Services – Crypto Sector at Risk appeared on BitcoinEthereumNews.com. APT37’s Steganographic RoKRAT Malware Strikes Cloud Services – Crypto Sector at Risk Malware is concealed in harmless pictures in order to be undetected. Secret control servers are taken over via cloud APIs. The threats to crypto platforms are credential theft and malware mining APT37 group in North Korea has released a new variant of malware called RoKRAT. It uses advanced evasion tactics to stay hidden. Its stealthy approach embeds malicious code within image files. This is because it uses a technique called steganography, thus it evades detection by the traditional security tools. Source – genians.co.kr RoKRAT executes attacks without leaving files on the disk. It inserts malicious code into legitimate Windows programs such as mspaint.exe and notepad.exe. It avoids antivirus software by executing code in memory. Cloud storage services of Dropbox, Yandex, and pCloud are also misused by the malware. These cloud environments are used by the attackers as command-and-control (C2) centers. Hidden Threats Inside Innocent Images Source – genians.co.kr The malware is ingenious in that it encapsulates its payload in non-threatening JPEG files. These image files carry encrypted code behind the scenes. RoKRAT’s dual-layer XOR encryption further complicates analysis. As soon as the malware is launched, it decrypts and runs this obscure code in memory. The malicious shortcut (LNK) files are packed in ZIP archives and start the infection. These shortcuts run hidden PowerShell commands. This action retrieves the encrypted images with the malware in accounts controlled by the attackers in the cloud. Since the code appears like any other image, it evades most of the defenses. Cloud Storage as Secret Hubs APT37 uses the common cloud storage APIs to remotely operate the malware. RoKRAT will communicate with such services as api.pcloud.com, cloud-api.yandex.net, and api.dropboxapi.com to transmit the data and obtain instructions. This makes its…
The post APT37’s Steganographic RoKRAT Malware Strikes Cloud Services – Crypto Sector at Risk appeared on BitcoinEthereumNews.com.
APT37’s Steganographic RoKRAT Malware Strikes Cloud Services – Crypto Sector at Risk Malware is concealed in harmless pictures in order to be undetected. Secret control servers are taken over via cloud APIs. The threats to crypto platforms are credential theft and malware mining APT37 group in North Korea has released a new variant of malware called RoKRAT. It uses advanced evasion tactics to stay hidden. Its stealthy approach embeds malicious code within image files. This is because it uses a technique called steganography, thus it evades detection by the traditional security tools. Source – genians.co.kr RoKRAT executes attacks without leaving files on the disk. It inserts malicious code into legitimate Windows programs such as mspaint.exe and notepad.exe. It avoids antivirus software by executing code in memory. Cloud storage services of Dropbox, Yandex, and pCloud are also misused by the malware. These cloud environments are used by the attackers as command-and-control (C2) centers. Hidden Threats Inside Innocent Images Source – genians.co.kr The malware is ingenious in that it encapsulates its payload in non-threatening JPEG files. These image files carry encrypted code behind the scenes. RoKRAT’s dual-layer XOR encryption further complicates analysis. As soon as the malware is launched, it decrypts and runs this obscure code in memory. The malicious shortcut (LNK) files are packed in ZIP archives and start the infection. These shortcuts run hidden PowerShell commands. This action retrieves the encrypted images with the malware in accounts controlled by the attackers in the cloud. Since the code appears like any other image, it evades most of the defenses. Cloud Storage as Secret Hubs APT37 uses the common cloud storage APIs to remotely operate the malware. RoKRAT will communicate with such services as api.pcloud.com, cloud-api.yandex.net, and api.dropboxapi.com to transmit the data and obtain instructions. This makes its…
What's Your Reaction?
