NavRAT

NavRAT is a malicious software (malware) identified as a remote access trojan (RAT). It is designed to upload, download, and execute files, with capabilities including command execution and keylogging. The malware copies itself to the path %ProgramData%\Ahnlab\GoogleUpdate.exe, mimicking the directory of a well-known South Korean security company named AhnLab. To ensure persistence, NavRAT creates a registry key that executes this file copy upon system reboot. The infection process begins when a malicious document is opened, leading to the download of NavRAT, which then performs various actions on the victim's machine. The compilation path suggests that NavRAT has been in existence since 2016, possibly as version 10 at that time. In its operation, NavRAT uses the ">>" method to append multiple outputs to a single TMP file, allowing for complex operations and data collection. The malware is also capable of downloading and executing an additional payload hosted on compromised websites. Interestingly, in this campaign, NavRAT utilized an email provider, Naver, while previous similar attacks, like ROKRAT, used cloud providers. There are indications linking NavRAT to the cybercriminal group known as Group123, though these links are assessed with medium confidence. The design similarities between the shellcode of NavRAT and ROKRAT provide some evidence of this connection. However, unlike other non-Group123 actors, NavRAT lacks certain false flags, further suggesting a link to Group123. Despite this, definitive proof of a direct link between NavRAT and ROKRAT remains elusive. Users are advised to stay updated with the latest rule pack available for purchase on Snort.org to protect against such threats.