NavRAT is a remote access tool designed to upload, download, and execute files. It has been observed in attacks targeting South Korea. [1]

ID: S0247
Platforms: Windows
Version: 1.1
Created: 17 October 2018
Last Modified: 20 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .003 Application Layer Protocol: Mail Protocols

NavRAT uses the email platform, Naver, for C2 communications, leveraging SMTP.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

NavRAT creates a Registry key to ensure a file gets executed upon reboot in order to establish persistence.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

NavRAT leverages cmd.exe to perform discovery techniques.[1] NavRAT loads malicious shellcode and executes it in memory.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

NavRAT writes multiple outputs to a TMP file using the >> method.[1]

Enterprise T1105 Ingress Tool Transfer

NavRAT can download files remotely.[1]

Enterprise T1056 .001 Input Capture: Keylogging

NavRAT logs the keystrokes on the targeted system.[1]

Enterprise T1057 Process Discovery

NavRAT uses tasklist /v to check running processes.[1]

Enterprise T1055 Process Injection

NavRAT copies itself into a running Internet Explorer process to evade detection.[1]

Enterprise T1082 System Information Discovery

NavRAT uses systeminfo on a victim’s machine.[1]

Groups That Use This Software

ID Name References
G0067 APT37