Please note in this article when I mention ROKRAT, I am specifically referring to the Android variant of the malware, and not the malware relating to other operating systems.

Introduction

In December 2022, working with Interlab, we discovered a seemly novel piece of Android spyware that was targeting human rights activists in South Korea. I published a reverse engineering report on the spyware through Interlab's website which you can find here. I called this spyware RambleOn. At the time of writing, I hadn't seen any samples of that nature disclosed anywhere else or within my retro-hunting. Though, it was apparent that many functions and features of the spyware were similar to that of ROKRAT, a malware family attributed to North Korea threat group APT37. After publishing our research, the industry iterated on the findings and brought to light more similarities in RambleOn with historic ROKRAT. In checkpoints report of the Windows ROKRAT malware they stated:

Originally supporting only Windows, over the years ROKRAT has adapted to other platforms, with macOS and Android versions discovered in the wild. The macOS version, also known as CloudMensis, was first described by ESET in July 2022. Although Android versions of ROKRAT have existed for a long time, InterLab and S2W both introduced a newer version of ROKRAT on Android, known as RambleOn (Cumulus). All of this demonstrates that this malware is still being actively developed and distributed.

The relationship between RambleOn & ROKRAT is highly apparent, but it was hard for me to determine if it should be classified as the sample malware family. This is due to ROKRAT primarily being used as a dropper. The malware functionally I saw in RambleOn was significantly more advanced and spyware-like. Not to mention, RambleOn's latest versions are multi-payload malwares, where ROKRAT itself wasn't. Though, it did contain similar functionality in its installation and C2 mechanisms. For the sake of continuity, you might argue that classifying it as ROKRAT would make more sense, and in some ways I agree on this, but the difference in functionally and modality is vastly significant to the point in which to appears that the threat actors had completely re-engineered the ROKRAT malware. In addition, ROKRAT as a family covers multiple operating systems, which can become confusing. Demonstrating the significance of this new spyware as its own entity, for me made the most sense.

After S2W and Checkpoint released their research on RambleOn and ROKRAT, I did some further retro-hunting across my malware database and VirusTotal. I ended up findings clear code similarities between ROKRAT samples seen in the middle of 2018 and RambleOn samples from 2019 to 2023. This analysis further provides constructive evidence to suggest that RambleOn is a completely re-engineered version of the ROKRAT Android variant. What these findings also represent is a demonstration of the shift in Android malware development by North Korea threat groups. I presented this research at RightsCon 2023 in the North Korean human rights panels and the full write up is now available below.

More context

The research presented here helps to understand the evolutionary steps ROKRAT Android malware has taken. Early sightings of ROKRAT back in 2017 showed it was mostly intended to be a backdoor & dropper, providing remote access ability to a device and deploying additional payloads. In 2019 it was significantly re-engineered to include more spyware functionality, stealing data such as SMS messages and recording audios, in addition to a new C2 mechanism. The significance of this notable point in which ROKRAT was re-engineered from a backdoor/dropper type malware into a more advanced spyware in itself, is why I classify as RambleOn. It demonstrates the active development and distribution of Android based malware by APT37. It also specifically shows that the threat actor behind both malware variants, is evolving to be more interested in distributing Android malware with spying capabilities.

Since many threat intelligence teams across the world classify ROKRAT as being created by North Korean state funded threat group APT37, this research also supports attribution. My comparison of ROKRAT samples in relation to the more advanced version, RambleOn, demonstrates that there are many ‘line for line’ and similar code matches. This suggests that RambleOn is an Android spyware being actively distributed by APT37.

I first received the sample from a journalist who worked on North Korean related investigations in December 2022. The journalist received a suspicious interaction from an unknown user on WeChat. The originating sender asked the journalist to install a “secure” chat application to continue talking. Since then, the research and finding of RambleOn malware has allowed software and cyber defense industry to improve detection's on Android Spyware by analyzing how RambleOn operates and signaturing it.

In light of our original findings in 2022, threat research group Talon from S2W, furthered the research on the malware by uncovering 4 other variants of RambleOn which date back as early as 2019. S2W published their research in March 2023 and renamed RambleOn and its subsequent variants to Culumus. (Personally, I'm not sure why they did this. Though despite my reasoning to name RambleOn... RambleOn (which I have already discussed), renaming it again is just really confusing). For the sake of continuity across the industry, both information security & human rights, and to respect my original findings and research, I will continue to classify this malware and its variants as RambleOn.

S2W’s research of RambleOn variants, also shed light on similarities between RambleOn’s second stage payload and a historic sample of ROKRAT, an Android malware that was attributed to APT37 (aka. ScarCruft). S2W suggests that due to this

similarity, RambleOn is a progression of the mobile version of ROKRAT in later years. In May 2023, CheckPoint Research released further research on ROKRAT malware, though specifically covering the Windows version of it they did acknowledge our research into RambleOn as a newer version of ROKRAT.

After researching further, I have found more samples that demonstrate

the similarities between RambleOn’s second payload stage and ROKRAT, giving an indication of further attribution possibilities, evolution and observation of malware timeline.

Joining the dots between ROKRAT (Android) and RambleOn

S2W found that the 2022-2023 RambleOn version’s second payload had code similarities with a ROKRAT sample found to be used by APT37 in 2017. See Figure 1 for reference point below. However, S2W stated that the similarities were contained in the 6^th version (“Clugin6.0” or “Plugin6.0”) of the secondary RambleOn payload; they didn’t refer to any other versions of RambleOn. It is important to note here that there are only small varying changes between the second payload that we first identified in 2022 to the latest 6^th version (“Clugin6.0” or “Plugin6.0”) seen by S2W in early 2023 – again a continuity issue created. Nevertheless, the result of this shows only a small iteration of features, and because of these small iterations all RambleOn secondary payloads found in 2022 and 2023 (which include the first one we identified in December 2022) all contain direct code similarities with the 2017 ROKRAT samples. Thus, the code similarities apply to all samples seen between the 2017 ROKRAT sample and the 2022-March 2023 RambleOn payloads (not just the ones that S2W found).

Further to this, I conducted analysis on the malicious APK used in the comparison by S2W, seen on the left side of Figure 1, with process name “com.android.systemservice”. This sample was classified as a ROKRAT Android variant and observed in an attack campaign classified as DOKKAEBI. This campaign was attributed to North Korean state funded group APT37. I acknowledge S2W’s correlations with RambleOn and the ROKRAT Android variant observed in DOKKAEBI, particularly with regards to utilizing cloud

services to modify SharedPreferences to facilitate C2 communication.

When conducting further historic analysis, I found an additional sample of this ROKRAT Android variant (4a45d78b08f4cd62b9c6013adb6140e02cb102c21f837ca65f6703d237fbf4ac), which was first seen in the wild by Google on 2018-05-16 05:08:50 UTC. After analysis, I identified a
close correlation with this sample to the 2017 version, however this time with enhanced functionality and even closer familiarity to all RambleOn variants. Notably, there are many observations in this version that indicate it is a later variant release of the 2017 Android ROKRAT malware, this time seen in the middle of 2018.

Below in Table 1, details some notable differences in the APK compilation information that support this indication:

Table 1 Comparative data between the 2017 and 2018 versions of ROKRAT Android malware

The changes between the 2017 Android ROKRAT payload discussed in the DOKKAEBI campaign and the sample we found from the middle of 2018 are significant. The 2017 ROKRAT sample (bded85d7024b6cf86cc9ce45ec851c80cb13790b9c4bd63b0b22b0fb672e9dce) operates as a loader/dropper, using Yandex Cloud to download a secondary payload and the DexClassLoader functionality in Android to run the additional payload. The 2018 ROKRAT sample, does the same, however performs minor reconnaissance and persistence activity. In addition, during this sample version, they utilized Dropbox rather than Yandex. What is most notable with the mid-2018 is this version demonstrates a closer (and in some cases a line for line) code match with RambleOn. When considering the functionality, if we compare all three payloads, the 2017 ROKRAT sample from the DOKKAEBI campaign, the mid-2018 ROKRAT sample we have identified here and RambleOn’s 2022 to March 2023 secondary payload we see the following iterations:

Table 2 Comparison of functionality between ROKRAT 2017, ROKRAT mid-2018 & 2022 to March 2023 RambleOn Stage 2 Payload

What we find here, is a notable progression of functionality from the DOKKAEBI campaign in 2017 into a slightly enhanced version of ROKRAT in 2018 campaigns. We see the utilization of single stage payload of ROKRAT from 2017 to 2018 to be evolved into a multistage payload in 2022. In addition, the exfil and spying functionally adapted into the malware.

Further to this, we identify clear code comparisons between the ROKRAT samples and RambleOn from 2017 to 2023. In the table below, I have shown a snippet of code similarity across both ROKRAT samples from 2017 to 2018 and RambleOn variants from 2019 – 2023 (note, that this is just one snippet, but the samples do contain a vaster array of comparability). You can observe, in mid-2018, ROKRAT was modified into a version that is closely matched to RambleOn from 2019 to 2023. The result of this shows almost a near exact line for line code matching between samples from the mid-2018 ROKRAT sample. This demonstrates constructive evidence that supports the suggestion that ROKRAT evolved into RambleOn, with RambleOn evolving too from a single payload to a multi-stage malware.

Evolution of functionality from ROKRAT to RambleOn

As discussed in S2W’s research, they identified one of the first early variants of RambleOn being distributed at

least as late 2019. This was a single stage payload, which whilst still containing many code similarities to prior ROKRAT samples (seen in the above images), it also evidently showed a clear re-engineering of ROKRAT malware into an early version of the RambleOn spyware. To demonstrate this, Table 3 shows the ROKRAT functionality comparatively with RambleOn. The first sighting of RambleOn, in 2019, shows a clear jump in functionality from what was prior seen in ROKRAT of 2018 and most notably, the implementations of C2 communication using messaging. In 2020, we see little to no changes in functionality of RambleOn. In 2021, we have no current sightings of samples in this period. In 2022 to March 2023, we see RambleOn evolve into a multistage payload, where the primary attack functionality exists in the secondary payload, whilst C2 communication remains in the first payload.

You can see here, that the distinction between ROKRAT and RambleOn, lies in significant re-engineering of ROKRAT malware to include a greater amount of exfiltration and C2 functionality. Further, you can see how ROKRAT originally was intended to be a dropper/loader. With the code similarities demonstrated in Table 3 and the functionality comparison in Table 4, you can see evidently clear correlations between ROKRAT and RambleOn. Furthermore, the evolution of RambleOn to become a multistage payload in 2022 onwards demonstrates

the threat actor’s clear intention of progressing their Android malware capability.

I hope with the retrohunt analysis performed here, we can help researchers understand the evolution of ROKRAT from an effective RAT (remote access trojan) or dropper/loader into a more advanced version of malware, which I classify as RambleOn, demonstrating more spyware characteristics.

Table 4 Comparisons between ROKRAT & RambleOn versions

Indicators of compromise

I am tracking samples identified in this VirusTotal Collection

Notable samples:

About this website

I am Ovi, I am an independent researcher. My work is solely related to human & digital rights activism focusing on reverse engineering, data privacy violations & surveillance from hostile government and private organizations that threaten humanity. I work with non-profit groups and directly with those at risk. As an independent researcher, getting my research, work and writings out can be hard, which is why I created this website. You can read more about this here. If you feel that you value this work, please consider subscribing, which will allow me to share my work directly with those who appreciate it without having to work with media organizations. Your subscription helps support me and my work, and also develops the space for independent researchers to truly be independent.

Newsletter

I'm going to write more about RambleOn Android spyware and my learnings of North Korean threat groups when working with activists in South Korea in my next newsletter. I am planning to release a copy every Friday (hopefully). This will be for subscribers only.