Security Experts:

China-linked KHRAT Operators Adopt New Delivery Techniques

A recently observed KHRAT remote access Trojan (RAT) infection campaign uses updated spear phishing, download and execution techniques, Palo Alto Networks security researchers warn.

KHRAT is a backdoor associated with the China-linked cyber espionage group known as DragonOK, which has been previously known to use malware such as NetTraveler (aka TravNet), PlugX, Saker, Netbot, DarkStRat, and ZeroT in attacks against organizations in Russia and other surrounding countries. The recent campaign featuring the RAT targets victims located in Cambodia.

The malware was designed to register victims using their machine’s username, system language and local IP address, while also providing attackers with the typical set of RAT features, including remote access to the victim system, keylogging, screenshot taking capabilities, remote shell access, and the like.

After comparing the new attacks with previous KHRAT campaigns, Palo Alto concluded that the malware’s authors have updated their spear phishing techniques and themes and are using multiple methods to download and execute additional payloads using built-in Windows applications. They also expanded their infrastructure mimicking Dropbox, a well-known cloud-based file hosting service.

Although not very prevalent, the RAT has registered an uptick in usage over the past couple of months, the researchers say. The attacks against Cambodian targets was discovered in June, when Palo Alto researchers stumbled upon a malicious Word document designed to contact a server supposedly belonging to Dropbox.

In addition to hiding its network traffic, the document also included the acronym MIWRMP, which refers to the Mekong Integrated Water Resources Management Project, a multi-million dollar project regarding water resources and fisheries management in North Eastern Cambodia, thus seeming legitimate.

The document prompts the user to enable macros, which allows embedded VBA code to run and perform malicious operations, including creating new scheduled tasks and calling functions to run JavaScript code.

The researchers also connected the document to the domain name update.upload-dropbox[.]com, which has been hosted on a compromised Cambodian government’s website. The sample fetched from the compromised government servers would launch the legitimate regsvr32.exe program, in an attempt to bypass included Windows protections.

Another component related to the campaign would download an .ico file meant to create three scheduled tasks and use regsvr32.exe to download and execute three other .ico files. A DLL component was also associated with the campaign, but wasn’t downloaded and executed, the researchers say.

While investigating the KHRAT dropper code, the security researchers also stumbled upon JavaScript code that allows the actor to monitor who is visiting their site. The code would gather data such as user-agent, domain, cookie, referrer and Flash version, and appears almost identical to that found on a blog hosted on the Chinese Software Developer Network (CSDN) website.

“This most recent campaign highlights social engineering techniques being used with reference and great detail given to nationwide activities, likely to be forefront of peoples’ minds; as well as the new use of multiple techniques in Windows to download and execute malicious payloads using built-in applications to remain inconspicuous which is a change since earlier variants,” Palo Alto notes.

The researchers conclude that the threat actors behind KHRAT have updated both the malware and their tactics, techniques and procedures (TTPs) over the course of 2017. These changes are meant to help the actor produce more successful attacks.

“Other notable actions by the threat actors included updated infrastructure purporting to be part of either the well-known cloud-based company, Dropbox, or a travel agency, likely to appear genuine, masquerading traffic under the premise of other applications to communicate with the attack infrastructure, some of which included compromised Cambodian Government servers,” the researchers conclude.

Related: China-Linked Spies Use Recent Zero-Day to Target Financial Firms

Related: China-Linked "DragonOK" Group Expands Operations

view counter