A RAT that Tweets: New ROKRAT Malware Hides behind Twitter, Amazon, and Hulu Traffic

June 21, 2017  |  Danielle Russell

To carry out attacks, malware and botnets rely on communication with a Command & Control server (C&C or C2) to receive instructions. As a result, today’s security tools have become extremely adept at detecting traffic to and from malicious IP addresses. When a system or device starts talking to a malicious IP or domain, alarms sound and IT security pros roll up their sleeves.

In recent years, however, malicious actors have begun to launch attacks from the depths of Twitter, trying to evade detection and prevent their C2 infrastructure from being found and shut down. In 2016, Twitoor—a widespread Android botnet controlled by Twitter—affected millions of Android devices. And, earlier this year, researchers at University College London discovered a Twitter botnet of over 350K bots called the Star Wars Botnet because, oddly enough, the bots tweet partial Star Wars quotes. (Cue Admiral Ackbar.)

Attackers are increasingly using legitimate websites and servers as infrastructure in their attacks, knowing that it can be more difficult to detect, especially to the untrained eye.

The RAT of Twitter: ROKRAT

In April, security researchers at Cisco Talos uncovered a new malware campaign that does just that. Dubbed ROKRAT, this new piece of malware uses multiple anti-detection techniques, including the use of legitimate websites like Twitter, Amazon, and Hulu to hide its malicious activities.

Researchers found that ROKRAT uses the public APIs of Twitter along with two other legitimate cloud platforms—Mediafire and Yandex—to get commands and to exfiltrate data. According to researchers, the malware can receive orders by checking the most recent message on the Twitter account’s timeline and can also post tweets. The malware uses the Yandex and Mediafire APIs to download and upload stolen data to the cloud.

Going further with its anti-detection tactics, researchers found that ROKRAT has a feature to detect if the victim’s system is running any processes associated with malware detection, debugging tools, or sandbox environments. If detected, the malware will generate dummy HTTP traffic to legitimate websites, including Amazon and Hulu, to mask its malicious activities. To the untrained eye, the victim appears to be watching anime at work.

ROKRAT is the latest example of how today’s sophisticated malware and ransomware campaigns layer on a wide breadth of tools, tactics, and procedures (TTPs) to evade detection. Here’s the full rundown of the TTPs discovered in the ROKRAT campaign, as described by the Cisco Talos researchers:

  • A spear-phishing email campaign from a compromised university email account
  • A social engineering tactic, using a conference on unity in Korea as its pretext
  • A malicious Word file attachment (Hangul Word Processor, used mainly in Korea)
  • An embedded EPS object to exploit a well-known vulnerability (CVE-2013-0808)
  • A remote administration tool (RAT) payload disguised a JPG image file
  • The use of Twitter, Yandex, and Mediafire clouds for C2 communication
  • A feature that executes an infinite loop of sleep if the OS detected is Windows XP or Windows Server 2003
  • A feature that detects the use of debugging or sandbox tools like Wireshark or File Monitor and, if detected, generates “normal-looking” dummy HTTP traffic to legitimate Amazon or Hulu pages
  • A keylogger that also captures the title of the active window to know where the user is typing

This long list of TTPs, which includes the use of legitimate popular websites to evade detection, shows that malware and ransomware campaigns are becoming increasingly more complex, multi-faceted, and sophisticated at evading detection. This underscores a universal truism in cybersecurity: the only constant is change. Unfortunately, that change is an ever-evolving threat landscape.

On the upside, AlienVault can help you to stay at pace with the bad actors.

How Does AlienVault Help?

To enable you to combat malware threats like ROKRAT, AlienVault Unified Security Management (USM) combines multiple essential security capabilities needed to detect, prioritize, and respond to emerging threats.

One of the essential security capabilities in AlienVault USM is intrusion detection: network-based, host-based, and cloud-based. The built-in network intrusion detection system (NIDS) is used to monitor the network for suspicious activity and notify you via an alarm when activity related to malware, including ROKRAT, is discovered.

Our labs team recently updated the USM platform’s ability to detect this new threat by adding IDS signatures to detect malicious traffic as well as a correlation directive to link events from across a network that indicate a system compromised by ROKRAT. Learn more about these updates in the Threat Intelligence Update summary posted in our Forums, where you can keep up to date on the latest threat intelligence updates, product news, and engage with your fellow Aliens.

Note that in addition to the recent update of signatures for ROKRAT, the AlienVault Labs Security Research Team has also updated several other malware and ransomware signatures based on increased activity seen in the wild, including WannaCry, Executioner, Hidden-Tear, and Fireball.

AlienVault Labs and the Open Threat Exchange (OTX) community will continue to monitor the behavior of these threats and will update the information in OTX when appropriate.

The integration between OTX and AlienVault USM means that you are always up to date on the latest threat vectors, attacker techniques, and defenses, even if you don’t have your own in-house team of dedicated security researchers.

Whether you are an AlienVault USM user or not, you can create a free account in OTX and leverage the threat intelligence from this community of 53,000+ security professionals and researchers.

Start your free OTX account today!

Share this with others

Featured resources



2024 Futures Report

Get price Free trial