RokRat is a well-known Remote Acess Trojan (RAT) that was first observed by cybersecurity researchers in 2014. Throughout the years that the virus has been operational, it has evolved considerably and is now a very sophisticated and evasive malware.
RokRat takes advantage of a malicious Hangul Word Processor, a popular alternative to MS Word in South Korea. The infection begins with a spear phishing email campaign or exploit kits containing an embedded EPS object that seeks to exploit the Windows vulnerability, CVE-2013-0808. The EPS object downloads a binary that is disguised as a JPG file, which is responsible for launching the RokRAT malware on the victim’s computer.
Who is Affected by the RokRat Trojan?
It seems that the main targets of the RokRat malware attack are South Koreans, given that the malware is specific to a Korean Word Processor. The specific document that leads to infection contains political views that many Koreans would be interested in as it talks about the eventual unification of the Korean Peninsula.
The malware also seems to target older versions of the Windows OS or at least those that haven’t been updated yet. This is so because a patch for the CVE-2013-0808 exploit has since been made available by Microsoft.
What Can the RokRat Trojan Do?
As earlier noted, the infection vector for the RokRat Trojan is a malicious HWP document that contains an embedded Encapsulated PostScript (EPS) object. The EPS object exploits a weakness in the well-known vulnerability CVE-2013-0808. From here, it then downloads a binary that is disguised as a JPG file.
Once inside a device, the RokRat Trojan initiates a cmd.exe process that injects the extracted code and executes it. The RokRat Trojan uses many techniques to evade tracking. As an example, it relies on legitimate Mediafire, Yandex, and Twitter cloud platforms as its command and control centers. It also uses HTTPS connections as a strategy that makes it very hard to gather data on its activities.
As a Trojan, the RokRat malware is capable of stealing passwords, keylogs, taking screenshots, execute files, upload documents and even kill processes. Cybercriminals can then use this data for all kinds of things, including financial and identity fraud. But the real goal of the RokRat Trojan as it seems to be a North Korean cyber weapon is to gather intelligence for the state.
The RokRat worm is a very sophisticated malware that poses a great threat to its victims. If a computer is infected by the RokRat remote access Trojan, it needs to be removed ASAP.
How to Remove the RokRat Trojan
Removing the RokRat Trojan is easy as all you need is a powerful anti-malware solution. You should also know that the Rokrat Trojan is no longer a significant threat that should worry you as the exploit that it uses i.e. CVE-2013-0808, has since been patched. So, unless you are using a computer that has not been updated for a really long time, the malware will not be that of a threat to you.
That said, the malware creators are always looking for other exploits that they can use for future infection campaigns, so there is the need to stay vigilant. Here are a few tips to help you with that.
Download the latest Windows updates
No matter what OS you are using unless you are on Windows XP (which is a really bad idea) always keep it up-to-date by downloading and installing recommended updates.
Install an anti-malware
Do you have an anti-malware software on your computer? If not, it is about time that you downloaded one as it is the only way to guard against malware infections.
Clean your Computer
If you don’t already have a PC repair tool on your computer, get one before you finish reading this. It is the kind of software that will deny malware entities such as the RokRat Trojan residence on your device by deleting junk files, browsing history, cookies and repairing broken or missing registry entries.
Be wary of online scams
Having been around computers and the internet for a while, you should by now know that cybercriminals will do anything in their power to infiltrate your computer. Don’t allow them by easily falling for cheap online scams.
Hopefully, this article on how to get rid of the RokRat Trojan has been insightful for you. If you have questions regarding the malware entity discussed here, please feel free to post them in the comment section below.