The APT37 (Advanced Persistent Threat) is a hacking group that has been around for a while and is believed to work in cooperation with the North Korean government (although this information is yet to be confirmed with full certainty). Most of the targets of the APT37 group are concentrated in South Korea and ten to be rather high-profile. Recently, the APT37 used spear-phishing emails to propagate a threat called NavRAT (Remote Access Trojan). Malware researchers regard the delivery method used by the attackers as rather intriguing. It also is interesting to point out that the infrastructure used in the campaigns involving NavRAT is not very conventional too.
Propagates via Spear-Phishing Emails
The aforementioned spear-phishing emails would contain an infected attachment in the shape of a ‘.HWP’ file. This corrupted file is named ‘Prospects for US-North Korean Summit.’ The Document Structuring Conventions-conforming (DSC) PostScript document, in this case, an Encapsulated PostScript (EPS) layout packs an obfuscated shellcode that is only run if all requirements are met. Once the threat is jacked up and running, it will make sure to connect to the server of its operators (which is located in South Korea) and fetch the main piece of malware that the attackers want to be planted on the host, in this case, NavRAT.
Gains Persistence and Operates Silently
The NavRAT Trojan will insert its files into the ‘%PROGRAMDATA%\AhnLab’ folder. The data in question is stored in a file named ‘GoogleUpdate.exe.’ It is important to note that since the targets of the APT37 are located in South Korea, the attackers have opted to use the name AhnLab, as this is commonly associated with a popular cybersecurity company in the region. When the NavRAT infiltrates a host successfully, it also will make sure that it gains persistence on the compromised system. This is done by generating a Registry key, which is meant to instruct Windows to run the NavRAT Trojan whenever the system is rebooted. To minimize the chances of their threat been spotted, APT37 has used legitimate running processes as hosts for their corrupted code.
The NavRAT is capable of what most Remote Access Trojans are:
- Execute remote commands.
- Collect keystrokes.
- Download and execute files.
- Upload and execute files.
The NavRAT Trojan Communicates with Its Operators via Email
However, instead of using the regular communication method between threat and remote C&C (Command & Control) server, the NavRAT communicates with its operators via email attachments. The email service utilized by the APT37 hacking group is called Naver and is rather popular in South Korea. The authors of the NavRAT Trojan have made sure to include login credentials and email address on every single copy of the threat that is being distributed. The NavRAT threat also receives the payloads of additional malware via email attachments.
The legitimate email service used by the evil-minded actors has since sniffed out the accounts of shady individuals and have shut them down since not only they have a responsibility to keep their clients safe but also being associated with a high-profile North Korean hacking group is not a good rep exactly.
Do You Suspect Your PC May Be Infected with NavRAT & Other Threats? Scan Your PC with SpyHunterSpyHunter is a powerful malware remediation and protection tool designed to help provide PC users with in-depth system security analysis, detection and removal of a wide range of threats like NavRAT as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover
Security Doesn't Let You Download SpyHunter or Access the Internet?Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
- Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
- Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
- Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
- IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.