APT37 Utilizes RokRAT In Fileless Attacks
APT37 also known as Konni Thallium and InkySquid was discovered targeting entities in South Korea with the RokRAT cloud-based remote access tool. Initial access was carried out through spearphishing emails with a malicious ZIP file disguised as belonging to a North Korea-related research field. The threat actor leveraged DropBox cloud storage to host the malicious files. Multiple PowerShell commands along with LNK files were used to carry out the infection process. RokRAT has been leveraged by APT37 since at least 2017 and can be used to collect and exfiltrate sensitive information and download additional malicious files to infected systems.