y Information p Center y pp Communities Blog **T H U R S D AY, M AY 3 1, 2 0 1 8** # NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea [This blog post is authored by Warren Mercer and Paul Rascagneres with contributions from](https://twitter.com/securitybeard) Jungsoo An. ## EXECUTIVE SUMMARY Talos has discovered a new malicious Hangul Word Processor (HWP) document targeting Korean users. If a malicious document is opened, a remote access trojan that we're calling "NavRAT" is downloaded, which can perform various actions on the victim machine, including command execution, and has keylogging capabilities. The decoy document is named "미북 정상회담 전망 및 대비.hwp" (Prospects for US-North Korea Summit.hwp). The HWP file format is mainly used in South Korea. An Encapsulated PostScript (EPS) object is embedded within the document in order to execute malicious shellcode on the victim systems. The purpose is to download and execute an additional payload hosted on a compromised website: NavRAT. This is a classic RAT that can download, upload, execute commands on the victim host and, finally, perform keylogging. However, the command and control (C2) infrastructure is very specific. It uses Search Blog **S UB S C R IB E TO OUR FE E D** Posts Comments [Subscribe via Email](https://www.talosintelligence.com/blog_subscription) **B LOG A R C HIV E** [▼ 2 01 8](javascript:void(0)) (79) [► J U N E](javascript:void(0)) (1) [▼ M AY](javascript:void(0)) (15) NavRAT Uses US-North Korea Summit As Decoy For Att... [Vulnerability Spotlight: Natus](https://blog.talosintelligence.com/2018/05/vulnerability-spotlight-natus-part2.html) NeuroWorks Multiple... [Beers with Talos EP 30 - VPNFilter,](https://blog.talosintelligence.com/2018/05/beers-with-talos-ep-30-vpnfilter.html) the Unfiltered... [Threat Roundup for May 18-25](https://blog.talosintelligence.com/2018/05/threat-roundup-0518-0525.html) ----- One of the most interesting questions we still have is regarding attribution — and who is behind this [malware. Previously, we published several articles concerning Group123 (here, here, here, here and](https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html&sa=D&ust=1527796940962000) [here). We currently assess with medium confidence that this campaign and NavRAT are linked to](https://blog.talosintelligence.com/2018/02/group-123-goes-wild.html&sa=D&ust=1527796940963000) Group123. ## MALICIOUS DOCUMENT Decoy Document The attack starts with a spear-phishing email containing the HWP document named "미북 정상회담 전망 및 대비.hwp" (Prospects for US-North Korea Summit .hwp). This references a legitimate event [that could potentially take place on June 12. Here is a screenshot of the document:](https://www.cnbc.com/2018/05/31/us-north-korea-meetings-in-new-york-aimed-at-salvaging-summit.html&sa=D&ust=1527796940964000) Messaging [Vulnerability Spotlight: Multiple](https://blog.talosintelligence.com/2018/05/multiple-acrobat-reader-vulns.html) Adobe Acrobat Re... [Threat Roundup for May 04 - 11](https://blog.talosintelligence.com/2018/05/threat-roundup-0504-0511.html) [Gandcrab Ransomware Walks its](https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html) Way onto Compromised... [Wipers - Destruction as a means to](https://blog.talosintelligence.com/2018/05/wipers-destruction-as-means-to-end.html) an end [Microsoft Patch Tuesday - May 2018](https://blog.talosintelligence.com/2018/05/microsoft-patch-tuesday-may-2018.html) [Beers with Talos EP 28 - APT, BGP,](https://blog.talosintelligence.com/2018/05/beers-with-talos-ep-28-pt-bgp-rces-and.html) RCEs, and an Ol... [Vulnerability Spotlight: MySQL Multi-](https://blog.talosintelligence.com/2018/05/vulnerability-spotlight-mysql-mmm.html) Master Manage... [Threat Round Up for April 27 to May](https://blog.talosintelligence.com/2018/05/threat-round-up-0427-0504.html) 04 [► A P RI L](javascript:void(0)) (21) [► M A RC H](javascript:void(0)) (10) [► FE BRU A RY](javascript:void(0)) (14) [► J A N U A RY](javascript:void(0)) (18) [► 2 01 7](javascript:void(0)) (172) [► 2 01 6](javascript:void(0)) (98) [► 2 01 5](javascript:void(0)) (62) [► 2 01 4](javascript:void(0)) (67) [► 2 01 3](javascript:void(0)) (30) [► 2 01 2](javascript:void(0)) (53) [► 2 01 1](javascript:void(0)) (23) [► 2 01 0](javascript:void(0)) (93) [► 2 009](javascript:void(0)) (146) [► 2 008](javascript:void(0)) (37) ----- Services [C L A M A V® BL O G](http://blog.clamav.net/) [ClamAV 0.100.0 has been released!](https://feedproxy.google.com/~r/Clamav/~3/takVpuywnTk/clamav-01000-has-been-released.html) [S N O RT BL O G](http://blog.snort.org/) Snort Subscriber Rule Set Update for 01/16/2018 This document explains concerns prior to the summit between the U.S. and North Korea, which is expected to focus on the topic of denuclearization. The summit is the latest in a line of signs of diplomatic outreach from North Korea, following the Panmunjom Declaration for Peace, Prosperity and Unification of the Korean Peninsula between South Korea and North Korea on April 27, 2018. This document contains the aforementioned EPS object. This object is used to execute malicious shellcode on the system. This is a seemingly common vector for attackers when using HWP documents, which we have previously encountered and described. ## Malicious Code As we already mentioned in our previous articles concerning malicious documents, EPS is effective from an attacker's point of view. It is a powerful, stack-based scripting language, and in malicious use cases, can be abused to obtain additional payloads. Here is the content of the file: /shellcode <90909090909090909090E800<...redacted… >4D2D6DC95CBD5DC1811111111111111> def <7B0D0A2756...redacted…>312067657420636C6F736566696C650D0A717569740D0A7D> ----- The executed shellcode will first perform a decoding routine designed to download an additional payload from the internet. In our case, the file URI was: hxxp://artndesign2[.]cafe24[.]com:80/skin_board/s_build_cafeblog/exp_include /img.png This website is a legitimate Korean website. We assume that this website was compromised in order to deliver the final payload on the targeted systems. This is a method we have previously observed with attacks focusing on the Korean peninsula. The image is downloaded directly, and the shellcode is loaded and executed in memory. This is an example of fileless execution by only running malicious processes within the memory of the victim host. The purpose is to drop and execute a decoded executable using the following path: %APPDATA%\Local\Temp\~emp.exe ----- "C:\Windows\system32\cmd.exe" /C systeminfo >> "C:\Ahnlab\$$$A24F.TMP" "C:\WINDOWS\system32\cmd.exe" /C tasklist /v >> "C:\Ahnlab\$$$A24F.TMP" ## NAVRAT Capabilities NavRAT is a remote access trojan (RAT) designed to upload, download and execute files. The analysed sample contains many verbose logs. The malware's author logs every action to a file (encoded). It's not often we are able to use the attacker's own logging capability to facilitate analysis, which can make our research easier. ----- This screenshot shows the logs messages during the process injection with the API usage. NavRAT starts by copying itself (~emp.exe) to the %ProgramData%\Ahnlab\GoogleUpdate.exe [path. It uses the path of a well-known security company located in South Korea named AhnLab.](http://www.ahnlab.com/&sa=D&ust=1527796940968000) NavRAT then creates a registry key in order to execute this file copy at the next reboot of the system, an initial method of persistence. The log files mentioned previously are stored in the same directory as NavRAT on the victim machine, again making it easy for us to find and analyse the additional log files. NavRAT has support for process injection. By using this method, it will copy itself into a running Internet Explorer process in order to avoid detection by running as an independent process. The malware is able to register the keystrokes on the targeted user's system: ----- The most interesting part of this RAT is the C2 server architecture. The malware uses the Naver email platform in order to communicate with the operators. ## Command & Control The malware communicates with the Naver email platform in order to communicate with the operator. The credentials are hardcoded in the sample: ----- However, during our investigation, NavRAT was unable to communicate with the email address: [05/30/2018, 17:39:45] NaverUpload Start!! [05/30/2018, 17:39:46] NaverUpload :PreUploading success [05/30/2018, 17:39:46] uploading step-1 : HttpSendRequest failed. Err[12150] [05/30/2018, 17:39:46] ////////////// Response Headers getting failure ////////// [05/30/2018, 17:39:46] NaverUpload :Uploading failed. Try[0] [05/30/2018, 17:39:47] uploading step-1 : HttpSendRequest failed. Err[12150] [05/30/2018, 17:39:47] ////////////// Response Headers getting failure ////////// [05/30/2018, 17:39:47] NaverUpload :Uploading failed. Try[1] [05/30/2018, 17:39:48] uploading step-1 : HttpSendRequest failed. Err[12150] [05/30/2018, 17:39:48] ////////////// Response Headers getting failure ////////// [05/30/2018, 17:39:48] NaverUpload :Uploading failed. Try[2] [05/30/2018, 17:39:49] uploading step-1 : HttpSendRequest failed. Err[12150] [05/30/2018, 17:39:49] ////////////// Response Headers getting failure ////////// [05/30/2018, 17:39:49] NaverUpload :Uploading failed. Try[3] [05/30/2018, 17:39:51] uploading step-1 : HttpSendRequest failed. Err[12150] [05/30/2018, 17:39:51] ////////////// Response Headers getting failure ////////// [05/30/2018, 17:39:51] NaverUpload :Uploading failed. Try[4] [05/30/2018, 17:39:52] UploadProc : UploadFile Err ----- The broken communication was due to protection implemented by Naver. The malware was presumably executed from too many different countries, and the account is currently locked: ----- ----- NavRAT is able to download and execute files located in the attachment of a received email. It is able to remove emails, and finally, it is able to send an email via the Naver account. In our sample, the data is attempted to be sent to: chioekang59@daum[.]net. ----- ## Archeology During our investigation, we tried to find additional samples of NavRAT. We only identified one old sample compiled in May 2016. As in our case, this old sample used a fake AhnLab directory to store logs files (C:\AhnLab\). In this version, the compilation path was not removed: N:\CodeProject\VC_Code Project\Attack_Spy\mailacounts.com\src_total_20160430 - v10.0(DIV)\bin\PrecomExe(Win32).pdb We can conclude that NavRAT has probably existed since 2016 — which we believe to be version 10 at the time. The attacker(s) appear to have remained under the radar for several years. We assume this malware has been sparingly used and only for very specific targets. ## GROUP123 LINKS? As we explore the Korean malware landscape, we always have burning questions relating to any possible links with Group123. We identified some relevant points which we believe with medium confidence suggests the involvement of Group123 based on previous TTPs used by this group. The modus operandi is identical to previous Group123 campaigns — a HWP document with embedded EPS object containing malicious shellcode. The shellcode of the embedded object is designed to download an image, which is, in fact, a new shellcode used to decode an embedded executable. We saw this exact same methodology used by Group123 during previous attacks. One [such example is ROKRAT, another remote access trojan we discovered in April 2017 that targeted](https://blog.talosintelligence.com/2017/04/introducing-rokrat.html&sa=D&ust=1527796940972000) the Korean peninsula. ----- We performed the same analysis for the shellcode located in the downloaded image file and the shellcode is not exactly the same, but the design is very similar. Additionally, we can add the victimology and usage of a public cloud platform as C2 server. The attacker simply moved from Yandex, Pcloud, Mediafire, Twitter, and now they are using Naver. This platform is mainly used locally in South Korea. A connection to this platform cannot be identified as a malicious activity. The malicious traffic will be hidden in the global flow. ll h l h d f d h d h ----- NavRAT we do not see this intentional and less vague level of IOC/False Flag scenarios in an attempt to infer attribution to another entity. NavRAT lacks these non-obvious false flags and thus we do not believe this to be related to non Group123 actors. ## CONCLUSION South Korea is still, and always will remain, an attractive target for advanced actors. The region has geopolitical interests that arise from the segregations that exist between the secretive North Korea and the more open South Korea. In this campaign, the attackers used a classical HWP document in order to download and execute a previously unknown malware: NavRAT. The author used real events in order to forge the decoy document. It chose the U.S. - North Korea Summit to entice the targets to open it. The approach is close to the techniques used by Group123 attacks we have observed and written about over the past 18 months or so: the shellcode contains similarities, the final payload is malicious shellcode located in an image hosted on a compromised website, and the author uses an open platform as the C2 server. In this case, NavRAT used an email provider: Naver, while ROKRAT previously used cloud providers. And finally, the victimology and the targeted region are the same. All these elements are not strict proof of a link between NavRAT and ROKRAT. However, we asses with medium confidence that NavRAT is linked to Group123. Using well-known local cloud/email providers is smart from an attacker's point of view. It's really hard to identify the malicious traffic in the middle of the legitimate traffic. In this case, the email provider locked the account due to attempts from too many different countries to access the email inbox. We identified the sample on several public sandbox systems, and we assume the multiple connection attempts were performed by these sandboxes. ## COVERAGE ----- [Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used](https://www.cisco.com/c/en/us/products/security/advanced-malware-protection&sa=D&ust=1527796940975000) by these threat actors. [CWS or WSA web scanning prevents access to malicious websites and detects malware used in](https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html&sa=D&ust=1527796940975000) these attacks. [Email Security can block malicious emails sent by threat actors as part of their campaign.](https://www.cisco.com/c/en/us/products/security/email-security-appliance/index.html&sa=D&ust=1527796940976000) [Network Security appliances such as NGFW, NGIPS, and Meraki MX can detect malicious activity](https://www.cisco.com/c/en/us/products/security/firewalls/index.html&sa=D&ust=1527796940976000) associated with this threat. [AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security](https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html&sa=D&ust=1527796940977000) products. [Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains,](https://umbrella.cisco.com/&sa=D&ust=1527796940977000) IPs and URLs hether sers are on or off the corporate net ork ----- ## IOCS Malicious HWP: e5f191531bc1c674ea74f8885449f4d934d5f1aa7fd3aaa283fe70f9402b9574 NavRAT: 4f06eaed3dd67ce31e7c8258741cf727964bd271c3590ded828ad7ba8d04ee57 Online Payload: hxxp://artndesign2[.]cafe24[.]com:80/skin_board/s_build_cafeblog/exp_include/img.png 2016 NavRAT sample: e0257d187be69b9bee0a731437bf050d56d213b50a6fd29dd6664e7969f286ef P O S T E D BY [WARRE N M E RC E R AT](https://www.blogger.com/profile/01772306994239678057) 7 : 0 0 P M L ABE L S : [AP T, G RO U P 1 2 3, H ANG U L, H WP, K O RE A](https://blog.talosintelligence.com/search/label/APT) [, M ALWARE, NAVRAT, NO RT H K O RE A, S O U T H](https://blog.talosintelligence.com/search/label/Malware) K O RE A S H A RE T H I S P O S T NO COMMENTS: POST A COMMENT ----- **Comment as:** [Google Account] [Google Account] **PreviewPreview** NE WE R P O S T S U BS C RI BE T O : [P O S T C O M M E NT S (AT O M )](https://blog.talosintelligence.com/feeds/6022799513636558525/comments/default) **PublishPublish** [H O M E](https://blog.talosintelligence.com/) O L D E R P O S T [Software](https://talosintelligence.com/software) [Reputation Center](https://talosintelligence.com/reputation) [Vulnerability Information](https://talosintelligence.com/vulnerability-reports) [Library](https://talosintelligence.com/resources) [Support Communities](https://talosintelligence.com/community) [Microsoft Advisory Snort Rules](https://talosintelligence.com/ms_advisories) [IP Blacklist Download](https://talosintelligence.com/documents/ip-blacklist) [AWBO Exercises](https://talosintelligence.com/awbo_exercises) [About Talos](https://talosintelligence.com/about) [Careers](https://talosintelligence.com/careers) [Blog](https://blog.talosintelligence.com) CONNECT WITH US ----- -----