APT37 Leverages Facebook Friend Requests to Deploy RokRAT Remote Access Trojan
What Happened — North Korean state‑linked group APT37 (ScarCruft) launched a multi‑stage social‑engineering campaign on Facebook, adding target accounts as friends and using the platform to deliver the RokRAT remote‑access trojan. The malware is installed after victims click malicious links or download compromised files shared via private messages.
Why It Matters for TPRM —
- State‑sponsored actors are exploiting consumer‑grade social networks to reach corporate and government personnel, bypassing traditional perimeter defenses.
- RokRAT provides full system control, enabling data exfiltration, credential theft, and lateral movement within third‑party environments.
- Vendors that rely on Facebook for communications or employee outreach may inadvertently expose their supply‑chain partners.
Who Is Affected — Government & public sector, defense contractors, telecommunications, technology SaaS providers, and any organization whose staff maintain personal Facebook accounts.
Recommended Actions —
- Instruct employees to treat unsolicited friend requests and direct messages on social platforms as suspicious.
- Enforce strict verification procedures before clicking links or downloading files from personal social accounts.
- Review third‑party risk assessments for vendors that use Facebook for business communications; require secure channels for file exchange.
Technical Notes — Attack vector: PHISHING via Facebook friend requests and private messaging. Malware: RokRAT (remote‑access trojan) capable of keylogging, screen capture, and command‑and‑control over HTTP/HTTPS. No specific CVE cited. Data at risk includes credentials, intellectual property, and internal communications. Source: The Hacker News