Hackers Exploit Academic Event Materials to Deploy RokRAT Malware

Cybersecurity researchers have uncovered a sophisticated phishing campaign that leverages authentic academic event information to distribute the RokRAT malware. This operation, identified as ‘Operation Capsule Vault,’ targets researchers by disguising malicious payloads as legitimate seminar materials.

The attackers utilized details from a genuine academic event, the Honsan Kalma Tourism Forum held in Seoul on June 9, to craft convincing phishing emails. These messages, appearing as standard business communications, directed recipients to a Dropbox-hosted ISO file purportedly containing conference materials. The ISO file, named to resemble a seminar booklet, contained an executable disguised as a PDF document. When opened, this file displayed a legitimate-looking document while simultaneously executing malicious code in the background.

Upon execution, the malware initiates a multi-stage infection process. It extracts embedded content and injects the RokRAT payload into ‘explorer.exe,’ a legitimate Windows process. This technique helps the malware evade detection by blending its activities with normal system operations. Once active, RokRAT collects system information and establishes communication channels through cloud services like Dropbox, pCloud, and Yandex. It can perform various malicious activities, including taking screenshots, collecting files, enumerating drives, gathering process information, and executing commands from its operators. Additionally, it has the capability to remove traces of its presence by deleting files created in temporary locations.

This campaign underscores the evolving tactics of cybercriminals who exploit publicly available information to craft highly convincing phishing attacks. By using real event details, attackers increase the likelihood of deceiving targets, making it imperative for individuals and organizations to exercise caution when handling unsolicited communications, even if they appear legitimate. Implementing robust cybersecurity measures and maintaining awareness of such sophisticated tactics are crucial steps in mitigating the risk of such attacks.