Register to stream ATT&CKcon 2.0 October 29-30


NavRAT is a remote access tool designed to upload, download, and execute files. It has been observed in attacks targeting South Korea. [1]

ID: S0247
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface NavRAT leverages cmd.exe to perform discovery techniques. [1]
Enterprise T1074 Data Staged NavRAT writes multiple outputs to a TMP file using the >> method. [1]
Enterprise T1056 Input Capture NavRAT logs the keystrokes on the targeted system. [1]
Enterprise T1057 Process Discovery NavRAT uses tasklist /v to check running processes. [1]
Enterprise T1055 Process Injection NavRAT copies itself into a running Internet Explorer process to evade detection. [1]
Enterprise T1060 Registry Run Keys / Startup Folder NavRAT creates a Registry key to ensure a file gets executed upon reboot in order to establish persistence. [1]
Enterprise T1105 Remote File Copy NavRAT can download files remotely. [1]
Enterprise T1064 Scripting NavRAT loads malicious shellcode and executes it in memory. [1]
Enterprise T1071 Standard Application Layer Protocol NavRAT uses the email platform, Naver, for C2 communications, leveraging SMTP. [1]
Enterprise T1082 System Information Discovery NavRAT uses systeminfo on a victim’s machine. [1]

Groups That Use This Software

ID Name References
G0067 APT37 [1]