S0247 NavRAT
NavRAT is a remote access tool designed to upload, download, and execute files. It has been observed in attacks targeting South Korea. 1
| Item | Value |
|---|---|
| ID | S0247 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 17 October 2018 |
| Last Modified | 20 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.003 | Mail Protocols | NavRAT uses the email platform, Naver, for C2 communications, leveraging SMTP.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | NavRAT creates a Registry key to ensure a file gets executed upon reboot in order to establish persistence.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | NavRAT leverages cmd.exe to perform discovery techniques.1 NavRAT loads malicious shellcode and executes it in memory.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | NavRAT writes multiple outputs to a TMP file using the >> method.1 |
| enterprise | T1105 | Ingress Tool Transfer | NavRAT can download files remotely.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | NavRAT logs the keystrokes on the targeted system.1 |
| enterprise | T1057 | Process Discovery | NavRAT uses tasklist /v to check running processes.1 |
| enterprise | T1055 | Process Injection | NavRAT copies itself into a running Internet Explorer process to evade detection.1 |
| enterprise | T1082 | System Information Discovery | NavRAT uses systeminfo on a victim’s machine.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0067 | APT37 | 1 |