Skip to content

S0247 NavRAT

NavRAT is a remote access tool designed to upload, download, and execute files. It has been observed in attacks targeting South Korea. 1

Item Value
ID S0247
Associated Names
Version 1.1
Created 17 October 2018
Last Modified 20 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.003 Mail Protocols NavRAT uses the email platform, Naver, for C2 communications, leveraging SMTP.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder NavRAT creates a Registry key to ensure a file gets executed upon reboot in order to establish persistence.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell NavRAT leverages cmd.exe to perform discovery techniques.1 NavRAT loads malicious shellcode and executes it in memory.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging NavRAT writes multiple outputs to a TMP file using the >> method.1
enterprise T1105 Ingress Tool Transfer NavRAT can download files remotely.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging NavRAT logs the keystrokes on the targeted system.1
enterprise T1057 Process Discovery NavRAT uses tasklist /v to check running processes.1
enterprise T1055 Process Injection NavRAT copies itself into a running Internet Explorer process to evade detection.1
enterprise T1082 System Information Discovery NavRAT uses systeminfo on a victim’s machine.1

Groups That Use This Software

ID Name References
G0067 APT37 1