NavRAT is a remote access tool designed to upload, download, and execute files. It has been observed in attacks targeting South Korea. [1]

ID: S0247
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1059Command-Line InterfaceNavRAT leverages cmd.exe to perform discovery techniques.[1]
EnterpriseT1074Data StagedNavRAT writes multiple outputs to a TMP file using the >> method.[1]
EnterpriseT1056Input CaptureNavRAT logs the keystrokes on the targeted system.[1]
EnterpriseT1057Process DiscoveryNavRAT uses tasklist /v to check running processes.[1]
EnterpriseT1055Process InjectionNavRAT copies itself into a running Internet Explorer process to evade detection.[1]
EnterpriseT1060Registry Run Keys / Startup FolderNavRAT creates a Registry key to ensure a file gets executed upon reboot in order to establish persistence.[1]
EnterpriseT1105Remote File CopyNavRAT can download files remotely.[1]
EnterpriseT1064ScriptingNavRAT loads malicious shellcode and executes it in memory.[1]
EnterpriseT1071Standard Application Layer ProtocolNavRAT uses the email platform, Naver, for C2 communications, leveraging SMTP.[1]
EnterpriseT1082System Information DiscoveryNavRAT uses systeminfo on a victim’s machine.[1]


Groups that use this software: