The data of “viewer.dat” that is ultimately executed is the RokRAT malware, which is a backdoor-type malware capable of utilizing cloud APIs to collect user information and perform various malicious behaviors at the threat actor’s command. AhnLab SEcurity intelligence Center (ASEC) has confirmed the continuous distribution of shortcut files (*.LNK) of abnormal sizes that disseminate backdoor-type malware.
Disclaimer: This article is part of X-Force OSINT Advisories automated collection to enable faster integration of open-source articles to client environments. All credit and copyright goes to the original authors.
Reference:
https://asec.ahnlab.com/en/65076/
Sample Indicators of Compromise:
68386fa9933b2dc5711dffcee0748115b85a6b1eb7418aa5da108bc0df824fc0bd98fe95107ed54df3c809d7925f2d2cbd07b927bb765ccfc94fadbc912b022635441efd293d9c9fb4788a3f0b4f2e6b