A remote access trojan that apparently went undiscovered for at least two years was found targeting Koreans in a spam campaign using the possible upcoming US-North Korea nukes summit as a phishing lure.
In an unusual development, the malware, dubbed NavRAT, leverages the email platform from South Korea-based Naver Corporation to communicate with the attackers, who researchers assess with medium confidence to be suspected North Korean APT actor Group123.
Cisco Systems' Talos threat intelligence division, which discovered NavRAT, reports in a 31 May blog post that its researchers have never before identified a malware that uses Naver for its command-and-control architecture. Under this arrangement, uploaded files are sent by email, while the downloaded files are retrieved from email attachments.
Due to suspicious activity, Naver's built-in protections blocked the transmission of C&C communications in the sample that researchers observed; nevertheless, the Talos blog notes that leveraging popular email or cloud service providers in this manner is clever because it's "really hard to identify the malicious traffic in the middle of the legitimate traffic."
According to researchers and blog post authors/contributors Warren Mercer, Paul Rascagneres and Jungsoo An, the malware can download, upload, execute commands on the victim host and also perform keylogging. It also supports process injection, which allows it to copy itself into a running Internet Explorer process, which helps it avoid detection.
Researchers observed NavRAT being distributed via decoy Hangul Word Processor (HWP) documents -- a common format in South Korea -- with the subject line "Prospects for US-North Korea Summit.hwp."
A malicious Encapsulated PostScript (EPS) object is embedded within these documents for the purpose of executing malicious shellcode that performs a decoding routine to download an image from a legitimate Korean website that appears to have been secretly compromised. This code loads additional shellcode that is executed in memory only to deliver the final NavRAT payload.
Based on one additional sample that researchers uncovered, Talos believes NavRAT has existed under the radar since at least May 2016.
Upon analysing the threat, Talos was able to find multiple commonalities between NavRAT and ROKRAT, a malware it has previously identified in attacks attributed to Group123. For instance, "the shellcode contains similarities, the final payload is malicious shellcode located in an image hosted on a compromised website, and the author uses an open platform as the C2 server," the blog states (although ROKRAT's C&C architecture uses cloud providers rather than Naver). "And finally, the victimology and the targeted region are the same."