RockLoader is an intermediate downloader/loader malware used in large-scale malicious email campaigns, most notably by the financially motivated threat actor TA505. Proofpoint reported TA505 first introduced RockLoader in April 2016 as an intermediate loader for Locky ransomware, and observed it being delivered through both JavaScript attachments and malicious document attachments in spam campaigns. RockLoader was also associated with distribution via the Necurs botnet.
Its primary role is to retrieve and install follow-on payloads. While initially used to deliver Locky, Proofpoint also observed RockLoader loading Dridex 220, Pony, and Kegotip, indicating multi-payload delivery capability. Reported command-and-control functionality included encrypted communications and commands such as "getjob," "UPDATE," and "DEL." Newer versions reportedly added XOR-based obfuscation for API resolution, embedded UAC bypass components, and a JSON field named "key" used to decrypt downloaded files. Proofpoint also reported that RockLoader could bypass UAC on both 32-bit and 64-bit Windows systems using the cliconfg.exe and ntwdblib.dll technique.
The malware appeared in the context of very large email campaigns, including April 2016 activity targeting organizations primarily in the United Kingdom and France. Supporting reporting states RockLoader was under active development and gaining new features frequently. High-confidence associated malware and infrastructure mentioned in the content include Locky, Dridex, Pony, Kegotip, TA505, and the Necurs botnet.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
TA505 first introduced Rockloader in April 2016 as an intermediate loader for Locky.
10 distinct techniques documented for this family, organized by ATT&CK tactic.
In recent weeks, we detected a marked increase in email campaigns attempting to install Locky... This particular campaign... used malicious document attachments... Outside of the very large campaign detected on April 7th, the ransomware in many of these campaigns is being installed via JavaScript attachment files rather than documents.
This particular campaign, primarily targeting UK and French organizations, used malicious document attachments and a new malware variant we are calling RockLoader... the ransomware in many of these campaigns is being installed via JavaScript attachment files rather than documents.
On 64-bit systems an executable is extracted and run which performs SetWindowsHookEx-based DLL injection into explorer using a DLL contained in the binary’s resources... On 32-bit operating systems, the DLL injection is performed via the same method from the original RockLoader binary itself.
In addition to the use of Rockloader, threat actors distributing Locky have been using an array of obfuscation techniques... Increasingly convoluted JavaScript obfuscation... The specific JavaScript that downloads Locky uses obfuscation techniques including character substitution, string concatenation, dead code, integer to character conversion, and other tricks.
The downloader’s runtime API resolution code has been modified to obfuscate the names of APIs being resolved using a simple 8-byte XOR algorithm... Some APIs that were static imports before, such as ShellExecuteA, are now resolved dynamically.
On 64-bit systems an executable is extracted and run which performs SetWindowsHookEx-based DLL injection into explorer using a DLL contained in the binary’s resources... On 32-bit operating systems, the DLL injection is performed via the same method from the original RockLoader binary itself.
The malware is able to issue commands including “getjob” to which the server may respond with a list of URLs linking to files to download and execute or with a “task”.
This actor is frequently using it as an intermediate “downloader”. This downloader has been distributed both through JavaScript attachments and malicious documents and, in turn, downloads Locky... on April 6th and 7th, 2016, we spotted this downloader being used to load other malware including Dridex 220, Pony, and Kegotip.
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Intermediate loader initially delivered by attached JavaScript; used to download Locky and sometimes Pony and Kegotip.
Malware distributed by the Necurs botnet (further details not provided in the content).
Intermediate downloader under active development that is delivered via JavaScript attachments and malicious documents, communicates with a C2 server using encrypted traffic, can download and execute Locky and other malware, supports update/delete/tasking commands, and includes UAC bypass capability.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.