NavRAT is a Remote Access Trojan (RAT) discovered by Cisco Talos researchers targeting users in Korea. NavRAT is spread via spear-phishing emails that contain a malicious Hangul Word Processor (HWP) document with the title “Prospects for US-North Korea Summit,” written in Korean. Within the HWP document is an Encapsulated PostScript (EPS) object that executes malicious shellcode on the victim’s system once the document is downloaded. Unlike traditional C2 servers used by malware, NavRAT uses the legitimate Naver email platform for communications between the compromised machine and the attacker’s machine. When the shellcode executes, an additional payload is downloaded from a legitimate compromised Korean website that, in turn, delivers the final payload. An image is then downloaded directly from the site utilizing fileless execution, a process in which malicious code is only run within memory of a victim’s system. Once on the system, the RAT copies itself and creates a registry key that allows the file to execute at the next system reboot, giving it the ability to maintain persistence. NavRAT is capable of downloading, uploading, executing command’s on the victim host, and performing keylogging.
- Cisco Talos provides technical analysis on NavRAT, here.
Image Source: Cisco Talos