ROKRAT using Twitter as command and control link

Researchers at Cisco Talos explain how ROKRAT malware is leveraging social media to hide its C&C communications in plain sight

According to a new report from Cisco Talos researchers, the ROKRAT malware is exploiting social media such as Twitter as a command and control communication channel. The ROKRAT campaign starts, like so many others, with a spear-phishing email complete with a malicious document attached. The first known instance of the malware spoofed an email address of the Korea Global Forum, a group dedicated to the reunification of North and South Korea.

The attachment contains an embedded encapsulated postscript (EPS) object, designed to exploit a common vulnerability (CVE-2013-0808) and download a binary disguised as a .jpg file. Once this is successful, things start getting really interesting, with the ROKRAT executable (a remote access tool or RAT for short) using legitimate websites for command and control servers. The malware uses Twitter together with two cloud platforms, Yandex and Mediafire, for C&C communications and exfiltration respectively.

SC Media UK spoke to the authors of the report, Warren Mercer, technical leader and Paul Rascagneres, a security researcher, both at Cisco Talos.

Click here to read complete article