Skip to main content
Home RokRAT

RokRAT

Also known as: DOGCALL

Category: Malware

Type: Remote access trojan

Platform: Windows

Variants: -

Damage potential: Data theft, espionage, remote control and surveillance, botnet participation.

Overview

RokRAT is a remote access trojan deployed by the North Korean cyber espionage group APT37. It primarily targets South Korean entities through spear-phishing campaigns to take control, spy, and steal any sensitive information. What sets RokRAT apart is its use of legitimate cloud services like Dropbox, Google Drive, and Yandex Disk for command and control (C2) communications, which helps it evade detection by blending in with normal network traffic. Additionally, RokRAT is equipped with advanced anti-analysis techniques and extensive remote control capabilities, including keylogging, screenshot capture, and audio recording.

Possible symptoms

The symptoms of a RokRAT infection might vary, but here are some common signs to watch out for:

  • System slowdowns, crashes, and freezes.
  • Unusual network traffic.
  • Files being moved, modified, or removed without user interaction.
  • Mouse cursor moving on its own.
  • Programs starting or stopping unexpectedly.
  • Webcam or microphone switching on without user interaction.
  • Frequent error messages.
  • Unexpected pop-ups and notifications.
  • Increased CPU or memory usage.
  • Disabled security software.

Sources of infection

RokRAT typically spreads through phishing emails with malicious Microsoft Word documents, downloads from malware-hosting websites, malvertising, or peer-to-peer sharing of infected files. In some rare cases, RokRAT can also be downloaded from websites specifically set up or compromised to host malicious files or through peer-to-peer (P2P) file sharing.

Protection

Always browse with caution to protect yourself from RokRAT.

  • Do not click on suspicious links or attachments, especially from unknown senders.
  • Avoid downloads from unofficial sources.
  • Scan downloads for malware, block malware-hosting websites, and stop malicious ads with NordVPN’s Threat Protection feature.
  • Install reliable antivirus software and keep it updated.

Removal

If you think you might have RokRAT on your device, you need to act promptly:

  • Disconnect your device from the internet to prevent RokRAT from communicating with its command and control server.
  • Boot into safe mode.
  • Run a full system scan using a reputable antivirus solution.
  • Follow the instructions provided by your antivirus software to isolate and remove the malware.

Consult an IT professional if you don’t feel confident handling the removal yourself.