We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:Win32/Rokum.A!dha
Aliases: No associated aliases
Summary
Rokum, also commonly known as Okrum, has been in use by the actor NICKEL since at least 2017. Rokum malware is a DLL with basic backdoor functionality including retrieving files or running commands from the operator on the target device. Rokum is often used to download further malicious payloads.
NICKEL is a nation-state threat actor targeting governments, diplomatic entities, and non-governmental organizations (NGOs) across Central and South America, the Caribbean, Europe, and North America. Read the following blog for details:
To help reduce the impact of this threat, you can:
- Contact your incident response team and start the incident response process. If you don't have one, contact Microsoft support for investigation and remediation services.
- Immediately isolate the affected device. If malicious code has been launched, it is likely that the device is under complete attacker control.
- Identify the accounts that have been used on the affected device and consider these accounts compromised. Reset passwords or decommission the accounts.
- Investigate the device timeline for indications of lateral movement activities using one of the compromised accounts. Check for additional tools that attackers might have dropped to enable credential access, lateral movement, and other attack activities.
- Scope the incident. Find related devices, network addresses, and files in the incident graph.
- Contain and mitigate the breach. Stop suspicious processes, isolate affected devices, decommission compromised accounts or reset passwords, block IP addresses and URLs, and install security updates.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
