North Korean APT37 Used a Maldoc with a VBA self decode technique to inject RokRat
released on 2021-01-06 @ 06:22:28 PM
Malwarebytes Lab has identified a malicious document uploaded to Virus Total, which was purporting to be a meeting request likely used to target the government of South Korea. The document requested a meeting for 23 Jan 2020.
The file contains an embedded macro that uses a VBA self decoding technique to decode itself within the memory spaces of Microsoft Office without writing to the disk. It then embeds a variant of the RokRat into Notepad.