RokRAT exploits CVE-2018-4878, a Adobe Falsh 0-day vulnerability. Its is believed to be the work of supposedly North Korean Group 123 or APT37. RokRAT is disseminated via a excel file which has an ActiveX Object, that object is an embedded SWF file.
The embedded SWF object exploits Flash's Zero-day Use After Free (UAF) vulnerability identified by CVE-2018-4878. When then contact its command and control (C&C) server for shell codes which then will be executed in the memory. VirusTotal report of RokRAT can be found here. RokRAT execution flow is depicted in following image.