APT37 uses VBA self-decoding technology to inject RokRat


On December 7, 2020, researchers discovered a malicious document uploaded to Virus Total. The content of the document showed that a meeting would be held in January 2020, and the document was compiled on January 27, 2020, mainly attacking the South Korean government. In other words, it has been 1 year since the attack occurred.

The file contains an embedded macro, which uses VBA self-decoding technology to decode in the office memory space without writing to the hard disk. Then embed the RokRat variant into Notepad.

Based on the analysis of the injected payload, the researchers believe that the sample is related to APT37. is a mocking hacker organization, also known as ScarCruft, Reaper, and Group123. It has been active since 2012 and its main targets are victims in South Korea.

Document analysis

The VBA self-decoding technology in macros used by the attackers first appeared in 2016. Among them, the malicious macro is encoded and then decoded and executed dynamically.


Figure 1: Malicious document

We can think of the overview as an unpacker stub, which is executed when the document is opened. The unpacker stub will decompress the malicious macro and write it into the office memory instead of the hard disk. In this way, many security mechanisms can be bypassed.


Figure 2: Self-decoding technology

The macro used in this file belongs to Figure 3. The macro starts by calling the “ljojijbjs” function, and gets different paths of execution based on the result.


Figure 3: Encoded macro

Microsoft by default disables the dynamic execution of macros. If an attacker wants to execute macros dynamically, he needs to modify the registry value to bypass the VB object model (VBOM).

In order to check whether the VBOM is bypassed, it is necessary to see whether the VBOM is accessed. The function of “ljojijbjs” is to check read access to VBProject.VBComponent. If an exception is triggered, it means that VBOM needs to be bypassed. If there is no exception, it means that VBOM has been bypassed, and VBA can dynamically extract macros.


Figure 4: Check VBOM access

The “fngjksnhokdnfd” function will be called to bypass VBOM. This function will set the VBOM registry key value to 1.


Figure 5: Modify VBOM registry key

After bypassing VBOM, the CreateMutexA API will be called to create a Mutex on the victim’s machine and name it “mutexname”. In this way, other attackers can ensure that they only infect the victim once, but no trace of checking the mutex is found in the file.


Figure 6: Mutex creation

Finally, in order to perform the self-decoding process, you need to create a new application object to open itself, and load the current document in it in an invisible way.


Figure 7: Self-opening

If VBOM is successfully bypassed, the Init function will be called to generate a malicious macro in the obfuscated format.


Figure 8: Confused macro

Then, the obfuscated macro will be passed to “eviwbejfkaksd” for deobfuscation, and then executed in memory.


Figure 9: Anti-aliasing

In order to de-obfuscate the macro, two string arrays need to be defined:

· StringOriginal: the character array containing the anti-aliasing signature;

· StringEncoded: It contains the character array after de -obfuscation;

The loop is not defined by macro de-obfuscation. For each cycle, get a character from the obfuscated macro and look for its index in StringEncoded. After finding the index, look for the equivalent index in StringOriginal, get the character from it and add it to the new macro. For example, “gm* bf” in the encoded macro will be decoded as “Option”.


Figure 10: Anti-aliasing loop

Then it gets the macro executed in the office memory space. In order to execute the decoded macro, a module is created and written to the module before calling the main function to execute the macro.

The main function defines a in hexadecimal format, and the target process is notepad.exe. Then, based on the operating system version, create a Notepad.exe process and use VirtualAlloc to allocate memory in its address space. Then use WriteProcessMemory to write the shellcode into the allocated memory, and finally, call CreateRemoteThread to execute the shellcode in the address space of Notepad.exe.


Figure 11: Anti-obfuscation macro

analysis (RokRat)

The injected into Notepad.exe downloads an encrypted payload from http://bit[.]ly/2Np1enh, and the link is redirected to a Google network disk link.


Figure 12 Download URL

The injected into Notepad.exe is a variant of the cloud-based RAT-RokRat, which APT37 has been using since 2017. The compilation time of the sample is October 29, 2019. The RAT can steal data from the victim’s machine and send it to cloud services, such as Pcloud, Dropbox, Box and Yandex.


Figure 13: Coded cloud service

Similar to the previous variant, this variant uses many anti-analysis techniques to ensure that it is not running in the analysis environment. Some of the checks done include:

· Check the DLL, Microsoft Debugging DLL and sandbox related to iDefense SysAnalyzer;

· Call IsDebuggerPresent and GetTickCount to identify the debugger;

· Check VMWare related files.


Figure 14: Anti-analysis techniques

The RAT has the following functions:

· Screenshot;


Figure 15: Screenshot

· Collect system information, such as user name, computer name, BIOS, etc.;


Figure 16: Collect BIOS data

· Steal data and send to cloud service;


Figure 17: Data theft

· Credential theft;

· File and directory management, etc.

To sum up

The infection vector used by APT37 is mainly a spear phishing attack. In this article, the researchers found that it used office documents weaponized with self-decoding macros. Self-decoding macro technology can bypass many static detection mechanisms and hide the signs of malicious documents. The final payload used in the attack was a variant of RokRat RAT. In this example, RokRat was injected into Notepad.exe.