A malicious document examined by MalwareBytes Labs has shown the ability to use VBA self-decoding in order to inject RokRat into victim machines.
RokRat is a cloud-based remote access tool (RAT) and is believed to be the work of APT37, also known as ScarCruft, Reaper, and Group123.
A file with an embedded macro that uses a VBA self-decoding technique built in decodes itself in memory of Microsoft Office without actually writing the script to disk. After this step, a variant of RokRat is embedded into Notepad.
Using new techniques for this APT has provided unique insight into the evolving TTPs of APT37. Previously, the APT has used Hangui Office documents as its targeting mechanism, which is commonly used in South Korea.
First introduced in 2016, the self-decoding process uses a macro within a macro that is decoded and executed. The technique uses an IF/THEN series of instructions to decode and execute the payload. In order to check for the possibility of execution, the macro checks for bypass ability within VBOM. If an exception is triggered in the checks process, VBOM needs to be bypassed. This is the IF clause. If no exception exists, the ELSE clause kicks in and allows for dynamic macro execution. Once VBOM is bypassed, a mutex is created in the victim’s machine.
Speculation on this step centers around whether the victim is only infected once. A new application process is created and loaded in invisible mode. Deobfuscation is accomplished via a defined loop. This step provides the memory infiltration macro and makes a call to its main function. Within the infected notepad.exe is the payload download from an nefarious link which then links to a Google drive link. Anti-analysis techniques are employed, as with previous versions of the malware.
Capturing screen shots, gathering system info, exfiltration, credential stealing, and file and directory management are the functions it performs once running.