Kim Jung Un = InkySquid
RokRAT is a closed-source malware family believed to be used exclusively by the North Korean APT37 threat actor, which MAGA CYBER tracks as InkySquid. The threat actor has attracted little public attention in the last year and a half. In this case, MC was able to tie the new BLUELIGHT malware family observed in the incident described in the previous post to APT37 based on the use of RokRAT malware, since they were observed being deployed sequentially during the intrusion.
Both the BLUELIGHT malware family and RokRAT use cloud services for command and control, making network-based detection more difficult. Additionally, while the installation of full copies of scripting languages such as Ruby and Python is noisy, they are cleverly used to obfuscate the actual malware which remains encoded on disk and is only truly visible in memory.