NavRAT
High-profile targets in the South Korean region were targeted by a spear-phishing email campaign whose goal was to deliver the NavRAT – a Remote Access Trojan believed to be part of the toolkit of APT37 (also known as ScarCruft, Group 123, Reaper and other names). While the RAT itself is not special in terms of functionality, the attackers use a very intriguing method of delivery, as well as a surprising network infrastructure to control the RAT and obtain data from it.
APT37 Delivers the NavRAT Trojan to South Korean Targets
The initial infection happens when the user receives an email attachment that is disguised as a '.HWP' document called 'Prospects for US-North Korea Summit' – the file's name is in Korean, and it contains an embedded 'EPS' object that was designed for this campaign. The Encapsulated PostScript (EPS) object contains a corrupted bit of obfuscated shellcode, which is executed if certain conditions are met. Upon execution, the shellcode will connect to a compromised South Korean server and download a second-stage payload from there – the NavRAT Trojan.
NavRAT plants its files in the '%PROGRAMDATA%\AhnLab' folder under the name 'GoogleUpdate.exe.' AhnLab is the name of a popular South Korean security company so that it is not a surprise that the attackers have opted to use their name for this campaign. Persistence is gained with the creation of a Registry key that commands Windows to execute NavRAT whenever it boots up. Last but not least, NavRAT supports process injection – instead of running in a noisy, separate process, it can plant its code in a running process (e.g., Internet Explorer) to not attract attention.
NavRAT Uses Email Attachments and Messages to Communicate with Its Operators
The lists of features that the NavRAT packs are not that impressive – it can download and execute files, execute remote commands, upload and execute files and log keystrokes. All of NavRAT's actions are logged in a file that is stored in the same directory as the main executable. The surprising thing is the communication interface that the NavRAT Trojan uses to retrieve and send out information – it happens via email attachments transferred through Naver's network, a popular email service provider in South Korea. All NavRAT samples have an email address and login credentials hardcoded into them, and they use this account to send the attacker attachments with log files. The RAT uses the same trick to receive payloads – it receives an email with an attachment, and then downloads and executes the file on the compromised host.
The Naver accounts used to operate the NavRAT campaign have been terminated swiftly, thanks to the service provider's security policy, but it is unlikely that the APT37 group will cease using this hacking tool just because of this minor setback. Computers can be protected from NavRAT and similar threats by utilizing a reputable anti-virus product, as well as paying extra attention to the files you download from the Web.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.