A North Korean hacking group is utilizing the RokRat Trojan in a fresh wave of campaigns against the South Korean government.
The Remote Access Trojan (RAT) has been connected to attacks based on the exploit of a Korean language word processor commonly used in South Korea for several years; specifically, the compromise of Hangul Office documents (.HWP).
In the past, the malware has been used in phishing campaigns that lure victims through emails containing attachments with a political theme — such as Korean unification and North Korean human rights.
RokRat is believed to be the handiwork of APT37, also known as ScarCruft, Reaper, and Group123. Active since 2012, at the least, the advanced persistent threat group (APT) is likely state-sponsored, and potentially tasked with targeting entities of value to the North Korean ruling party.