πHOW APT37 EMPLOYED ROKRAT SHELLCODE AND STEGANOGRAPHIC TECHNIQUE
βΉοΈ Researchers have identified a new variant of RoKRAT, the malware associated with North Koreaβs APT37 group. This version employs two-stage encrypted shellcode execution and steganography to conceal malicious code inside image files, enabling evasion from traditional detection methods.
π INFECTION VECTOR
β The intrusion begins with a ZIP archive containing a large .lnk shortcut file, often masquerading as legitimate documents.
β Once opened, PowerShell commands embedded within the shortcut unpack multiple hidden components, such as shellcode, batch files, scripts, and decoy documents, and launch the infection chain.
πTWO-STAGE SHELLCODE DECODING
β The initial embedded shellcode is decoded using a single-byte XOR, then injected into a trusted Windows process like mspaint.exe or notepad[.]exe.
β A second stage of XOR-based decoding (e.g. key 0xD6) reveals the full RoKRAT payload, which is executed entirely in memory without writing to disk.
π STEGANOGRAPHIC PAYLOAD DELIVERY
β The standout feature of this variant is the use of steganography: a JPEG image (e.g. “Father.jpg”) is downloaded from cloud services (Dropbox, Yandex, pCloud) and contains encrypted shellcode starting at a non-standard offset.
β A dual XOR decoding process transforms this hidden data into an executable loader, which initiates RoKRAT in-memory execution without leaving disk artifacts
π C2 COMMUNICATION & TARGETS
β RoKRAT communicates with C2 infrastructure via legitimate cloud APIs using expired or stolen tokens tied to Dropbox, pCloud, and Yandex.
β The malware collects system info, documents, screenshots, and exfiltrates data in encrypted form, disguised within normal traffic to bypass inspection.
https://www.genians.co.kr/en/blog/threat_intelligence/rokrat_shellcode_steganographic