Hackers belonging to an elite, yet low-profile North Korean hacking team, are believed to have employed a new remote access trojan (RAT) dubbed NavRAT, in a new campaign. The hackers have used the trojan to launch attacks against South Korean targets using the US-North Korea summit as a decoy, researchers said.
NavRAT, which comes with keylogging capabilities, is distributed to targets using phishing emails. The trojan is embedded in a malicious Hangul Word Processor (HWP) document, a word processing application that is fairly popular in South Korea. I. The hackers crafted a phishing email with an attached HWP document titled “Prospects for US-North Korea Summit”.
“This document explains concerns prior to the summit between the U.S. and North Korea, which is expected to focus on the topic of denuclearization,” Cisco Talos researchers, who uncovered the new campaign, wrote in a blog. The summit is the latest in a line of signs of diplomatic outreach from North Korea, following the Panmunjom Declaration for Peace, Prosperity and Unification of the Korean Peninsula between South Korea and North Korea on April 27, 2018.”
NavRAT is similar to other standard RATs and is capable of downloading, uploading and executing commands on the victims’ systems. In addition to keylogging, the trojan also comes with a customised C2 infrastructure thatuses the Naver email platform, which is popular in South Korea, to communicate with the attackers.
NavRAT has also been designed to conduct a systems check while uploading data onto its C2 server. The trojan copies itself to the “%ProgramData%\Ahnlab\GoogleUpdate.exe” path and uses the path of AhnLab, which is a reputed security firm in South Korea. The trojan also creates a register key to distribute this file onto the infected system, the next time it is rebooted. In order to avoid detection, NavRAT, instead of running as an independent process, copies itself on a running Internet Explorer process.
Although NavRAT communicates with the attackers using the Naver email platform, Cisco Talos researchers discovered that the trojan has been unable to communicate with the attackers’ email. Naver’s protections resulted in the attackers’ account being locked.
“The password must be reset by providing information on the account, or with a mobile phone of the owner (the phone number is located in the UK). In its current status, NavRAT cannot work correctly. We assume that the owner of the malware didn't know that Naver implemented this protection,” Cisco Talos researchers noted. “NavRAT is able to download and execute files located in the attachment of a received email. It is able to remove emails, and finally, it is able to send an email via the Naver account. In our sample, the data is attempted to be sent to: chioekang59@daum[.]net.”
Researchers believe that NavRAT has likely existed since 2016 and has only been used by the hackers when launching attacks against specific targets.
Cisco Talos researchers believe that the new campaign is likely the work of the North Korean hacking outfit Group123, also known as APT37 (Reaper) and ScarCruft. In previous campaigns, Group123 has been known to deploy decoy documents, which were crafted to relate to current, geopolitical events.
Cisco Talos researchers also discovered similarities between NavRAT and ROKRAT, which was previously used by Group123 to target Korea in April 2017. Although none of the above mentioned aspects are definitive proof of Group 123’s involvement in the new campaign, Cisco Talos researchers said that they have “medium confidence that NavRAT is linked to Group123”.
In February 2018, FireEye issued a report about this hacker group that states , which stated that Group123 has primarily targeted South Korea in the past. It could also be an indication of how the group has been able to maintain a relatively low-profile , which may be why it has been able to maintain a low-profile, as especially compared to the now-infamous Lazarus group.
“Our analysis of APT37’s recent activity reveals that the group’s operations are expanding in scope and sophistication, with a toolset that includes access to zero-day vulnerabilities and wiper malware,” FireEye researchers said in a blog.
The new campaign is also indicative that the ongoing cyberwarfare between the North and the South continues to rage on, despite the recent attempt by both nations to reach a political accord.