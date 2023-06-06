While researching the RokRAT-related files, X-Force also uncovered three LNK files that behave differently than expected. There is no use of OneDrive or similar cloud applications to host a second-stage payload, and instead of dropping a batch file, these LNK files drop VBS, with the obfuscation technique for the dropped files being hex-encoding vs. string concatenation. In addition, the RokRAT LNK files drop batch files and downloads the payload that is decoded using the first byte as a key, then the payload is executed using Windows API functions (VirtualProtect). With these additional LNK files, the VBS downloaders do not perform these actions.

The LNK files analyzed contain an encoded PowerShell, and once the LNK files are executed, the PowerShell script is run, and two files are dropped to the user’s %TEMP% folder. In one analyzed sample, the files dropped were a VBS file (tmp<random-9-digit-number>.vbs ), and a Plaintext file with contents asdfgqwert. The VBS file will get executed via Wscript.exe:

“C:\Windows\System32\WScript.exe” “C:\Users\Usuario\AppData\Local\Temp\tmp<nine-digit-number>.vbs”. Wscript.exe is a service

Wscript.exe is a service provided by the Windows system with scripting abilities. Subsequently, two GET requests are initiated. In a third file we analyzed, instead of the LNK file dropping a VBS and a Plaintext file, a VBS file and a JPEG decoy file are dropped to the users %TEMPT% folder. In this case, the JPEG decoy file appears to be a correspondence related to the “Proof of Digital Assets”. At the time of this analysis, X-Force was unable to retrieve the final payload from the servers as they have been taken down; therefore, it is uncertain whether these additional LNK files are related to ITG10 activity. Further research and analysis are needed to determine relevance and attribution.