JUST RELEASED: ATT&CK for Industrial Control Systems
SOFTWARE
SOFTWARE
1-9
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
  1. Home
  2. Software
  3. NavRAT

NavRAT

NavRAT is a remote access tool designed to upload, download, and execute files. It has been observed in attacks targeting South Korea. [1]

ID: S0247
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 17 October 2018
Last Modified: 17 October 2018
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

NavRAT leverages cmd.exe to perform discovery techniques.[1]
Enterprise T1074 Data Staged

NavRAT writes multiple outputs to a TMP file using the >> method.[1]
Enterprise T1056 Input Capture

NavRAT logs the keystrokes on the targeted system.[1]
Enterprise T1057 Process Discovery

NavRAT uses tasklist /v to check running processes.[1]
Enterprise T1055 Process Injection

NavRAT copies itself into a running Internet Explorer process to evade detection.[1]
Enterprise T1060 Registry Run Keys / Startup Folder

NavRAT creates a Registry key to ensure a file gets executed upon reboot in order to establish persistence.[1]
Enterprise T1105 Remote File Copy

NavRAT can download files remotely.[1]
Enterprise T1064 Scripting

NavRAT loads malicious shellcode and executes it in memory.[1]
Enterprise T1071 Standard Application Layer Protocol

NavRAT uses the email platform, Naver, for C2 communications, leveraging SMTP.[1]
Enterprise T1082 System Information Discovery

NavRAT uses systeminfo on a victim’s machine.[1]

Groups That Use This Software

ID Name References
G0067 APT37

NavRAT is linked to APT37 with medium confidence.[1]

References

  1. Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.