The APT37 (Advanced Persistent Threat) is a hacking group that has been around for a while and is believed to work in cooperation with the North Korean government (although this information is yet to be confirmed with full certainty). Most of the targets of the APT37 group are concentrated in South Korea and ten to be rather high-profile. Recently, the APT37 used spear-phishing emails to propagate a threat called NavRAT (Remote Access Trojan). Malware researchers regard the delivery method used by the attackers as rather intriguing. It also is interesting to point out that the infrastructure used in the campaigns involving NavRAT is not very conventional too.
Propagates via Spear-Phishing Emails
The aforementioned spear-phishing emails would contain an infected attachment in the shape of a ‘.HWP’ file. This corrupted file is named ‘Prospects for US-North Korean Summit.’ The Document Structuring Conventions-conforming (DSC) PostScript document, in this case, an Encapsulated PostScript (EPS) layout packs an obfuscated shellcode that is only run if all requirements are met. Once the threat is jacked up and running, it will make sure to connect to the server of its operators (which is located in South Korea) and fetch the main piece of malware that the attackers want to be planted on the host, in this case, NavRAT.
Gains Persistence and Operates Silently
The NavRAT Trojan will insert its files into the ‘%PROGRAMDATA%\AhnLab’ folder. The data in question is stored in a file named ‘GoogleUpdate.exe.’ It is important to note that since the targets of the APT37 are located in South Korea, the attackers have opted to use the name AhnLab, as this is commonly associated with a popular cybersecurity company in the region. When the NavRAT infiltrates a host successfully, it also will make sure that it gains persistence on the compromised system. This is done by generating a Registry key, which is meant to instruct Windows to run the NavRAT Trojan whenever the system is rebooted. To minimize the chances of their threat been spotted, APT37 has used legitimate running processes as hosts for their corrupted code.
The NavRAT is capable of what most Remote Access Trojans are:
- Execute remote commands.
- Collect keystrokes.
- Download and execute files.
- Upload and execute files.
The NavRAT Trojan Communicates with Its Operators via Email
However, instead of using the regular communication method between threat and remote C&C (Command & Control) server, the NavRAT communicates with its operators via email attachments. The email service utilized by the APT37 hacking group is called Naver and is rather popular in South Korea. The authors of the NavRAT Trojan have made sure to include login credentials and email address on every single copy of the threat that is being distributed. The NavRAT threat also receives the payloads of additional malware via email attachments.
The legitimate email service used by the evil-minded actors has since sniffed out the accounts of shady individuals and have shut them down since not only they have a responsibility to keep their clients safe but also being associated with a high-profile North Korean hacking group is not a good rep exactly.