NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea
Contents
This blog post is authored by Warren Mercer and Paul Rascagneres with contributions from Jungsoo An.
Executive Summary
Talos has discovered a new malicious Hangul Word Processor (HWP) document targeting Korean users. If a malicious document is opened, a remote access trojan that we're calling "NavRAT" is downloaded, which can perform various actions on the victim machine, including command execution, and has keylogging capabilities.
The decoy document is named "미북 정상회담 전망 및 대비.hwp" (Prospects for US-North Korea Summit.hwp). The HWP file format is mainly used in South Korea. An Encapsulated PostScript (EPS) object is embedded within the document in order to execute malicious shellcode on the victim systems. The purpose is to download and execute an additional payload hosted on a compromised website: NavRAT.
This is a classic RAT that can download, upload, execute commands on the victim host and, finally, perform keylogging. However, the command and control (C2) infrastructure is very specific. …
Executive Summary
Talos has discovered a new malicious Hangul Word Processor (HWP) document targeting Korean users. If a malicious document is opened, a remote access trojan that we're calling "NavRAT" is downloaded, which can perform various actions on the victim machine, including command execution, and has keylogging capabilities.
The decoy document is named "미북 정상회담 전망 및 대비.hwp" (Prospects for US-North Korea Summit.hwp). The HWP file format is mainly used in South Korea. An Encapsulated PostScript (EPS) object is embedded within the document in order to execute malicious shellcode on the victim systems. The purpose is to download and execute an additional payload hosted on a compromised website: NavRAT.
This is a classic RAT that can download, upload, execute commands on the victim host and, finally, perform keylogging. However, the command and control (C2) infrastructure is very specific. …
IoC
4f06eaed3dd67ce31e7c8258741cf727964bd271c3590ded828ad7ba8d04ee57
[email protected]
e0257d187be69b9bee0a731437bf050d56d213b50a6fd29dd6664e7969f286ef
e5f191531bc1c674ea74f8885449f4d934d5f1aa7fd3aaa283fe70f9402b9574
http://artndesign2.cafe24.com:80/skin_board/s_build_cafeblog/exp_include/img.png
[email protected]
e0257d187be69b9bee0a731437bf050d56d213b50a6fd29dd6664e7969f286ef
e5f191531bc1c674ea74f8885449f4d934d5f1aa7fd3aaa283fe70f9402b9574
http://artndesign2.cafe24.com:80/skin_board/s_build_cafeblog/exp_include/img.png