The hypothesis is that the detection identifies a potential ROKRAT malware loader being executed, indicating an adversary may be establishing a foothold in the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage malware activity and prevent further compromise.
YARA Rule
rule ROKRAT_payload : TAU DPRK APT
{
meta:
author = "CarbonBlack Threat Research" //JMyers
date = "2018-Jan-11"
description = "Designed to catch loader observed used with ROKRAT malware"
reference = "https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/"
rule_version = 1
yara_version = "3.7.0"
TLP = "White"
exemplar_hashes = "e200517ab9482e787a59e60accc8552bd0c844687cd0cf8ec4238ed2fc2fa573"
strings:
$s1 = "api.box.com/oauth2/token" wide
$s2 = "upload.box.com/api/2.0/files/content" wide
$s3 = "api.pcloud.com/uploadfile?path=%s&filename=%s&nopartial=1" wide
$s4 = "cloud-api.yandex.net/v1/disk/resources/download?path=%s" wide
$s5 = "SbieDll.dll"
$s6 = "dbghelp.dll"
$s7 = "api_log.dll"
$s8 = "dir_watch.dll"
$s9 = "def_%s.jpg" wide
$s10 = "pho_%s_%d.jpg" wide
$s11 = "login=%s&password=%s&login_submit=Authorizing" wide
$s12 = "gdiplus.dll"
$s13 = "Set-Cookie:\\b*{.+?}\\n" wide
$s14 = "charset={[A-Za-z0-9\\-_]+}" wide
condition:
12 of ($s*)
}This YARA rule can be deployed in the following contexts:
This rule contains 14 string patterns in its detection logic.
Scenario: A system administrator uses the Windows Task Scheduler to run a legitimate system maintenance script that includes a .dll file with a similar name to a ROKRAT loader.
Filter/Exclusion: Check the command line arguments and file path against known system maintenance scripts. Exclude files located in standard system directories like C:\Windows\System32 or C:\Windows\SysWOW64.
Scenario: A PowerShell script is executed as part of a routine Windows Update process, which includes a dynamically loaded module that matches the loader signature.
Filter/Exclusion: Filter out processes initiated by svchost.exe or wuauclt.exe, and exclude modules loaded from the C:\Windows\WinSxS directory.
Scenario: A third-party application (e.g., Microsoft System Center Configuration Manager) uses a custom loader to deploy configuration files, which matches the ROKRAT loader signature.
Filter/Exclusion: Exclude processes associated with known enterprise management tools, such as ConfigMgr.exe or SMSExecutive.exe, and check the file hash against a trusted application database.
Scenario: A scheduled backup job uses a custom script that dynamically loads a module for encryption, which resembles the ROKRAT loader.
Filter/Exclusion: Exclude processes initiated by the backup service (e.g., BackupExec.exe or VSS) and verify the file path against known backup tool directories.
Scenario: A remote management tool (e.g., Microsoft Intune or Microsoft Endpoint Manager) deploys a payload that includes a loader with similar characteristics to ROKRAT.
Filter/Exclusion: Exclude processes initiated by the Microsoft Intune client (IntuneClient.exe) and verify the file hash against known enterprise management