NavRAT

NavRAT is a remote access tool designed to upload, download, and execute files. It has been observed in attacks targeting South Korea. ^[1]

ID: S0247

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 17 October 2018

Last Modified: 20 March 2020

Techniques Used

Domain	ID		Name	Use
Enterprise	T1547	.001	启动或登录自动启动执行: Registry Run Keys / Startup Folder	NavRAT creates a Registry key to ensure a file gets executed upon reboot in order to establish persistence.^[1]
Enterprise	T1059	.003	命令与脚本解释器: Windows Command Shell	NavRAT leverages cmd.exe to perform discovery techniques.^[1] NavRAT loads malicious shellcode and executes it in memory.^[1]
Enterprise	T1071	.003	应用层协议: Mail Protocols	NavRAT uses the email platform, Naver, for C2 communications, leveraging SMTP.^[1]
Enterprise	T1074	.001	数据分段: Local Data Staging	NavRAT writes multiple outputs to a TMP file using the >> method.^[1]
Enterprise	T1082		系统信息发现	NavRAT uses `systeminfo` on a victim’s machine.^[1]
Enterprise	T1105		输入工具传输	NavRAT can download files remotely.^[1]
Enterprise	T1056	.001	输入捕获: Keylogging	NavRAT logs the keystrokes on the targeted system.^[1]
Enterprise	T1057		进程发现	NavRAT uses `tasklist /v` to check running processes.^[1]
Enterprise	T1055		进程注入	NavRAT copies itself into a running Internet Explorer process to evade detection.^[1]

Groups That Use This Software

ID	Name	References
G0067	APT37	^[1]

References

Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.