Large LNK files leveraged for RokRAT malware deployment

Microsoft's implementation of default macro blocking across Office documents has prompted North Korean state-sponsored threat operation Scarcruft, also known as APT37, Nickel Foxcroft, RedEyes, InkySquid, Ricochet Chollima, and Reaper, to leverage oversized LNK files to facilitate RokRAT malware delivery since last July, according to The Hacker News. Scarcruft has been launching spear-phishing attacks using LNK files to trigger multi-stage infection sequences that would eventually result in infections with the RokRAT malware, also known as DOGCALL, as well as its Android and macOS variants, dubbed RambleOn and CloudMensis, respectively, a report from Check Point showed. All RokRAT malware variants could allow credential and data exfiltration, system information collection, shellcode and command execution, screenshot capture, and file and directory management, while the new double-click malware delivery approach was noted to be more reliable than Office macros and n-day exploits that needed more clicks. "APT37 continues to pose a considerable threat, launching multiple campaigns across the platforms and significantly improving its malware delivery methods," said Check Point.