Connect with us

Hi, what are you looking for?



China-linked KHRAT Operators Adopt New Delivery Techniques

A recently observed KHRAT remote access Trojan (RAT) infection campaign uses updated spear phishing, download and execution techniques, Palo Alto Networks security researchers warn.

A recently observed KHRAT remote access Trojan (RAT) infection campaign uses updated spear phishing, download and execution techniques, Palo Alto Networks security researchers warn.

KHRAT is a backdoor associated with the China-linked cyber espionage group known as DragonOK, which has been previously known to use malware such as NetTraveler (aka TravNet), PlugX, Saker, Netbot, DarkStRat, and ZeroT in attacks against organizations in Russia and other surrounding countries. The recent campaign featuring the RAT targets victims located in Cambodia.

The malware was designed to register victims using their machine’s username, system language and local IP address, while also providing attackers with the typical set of RAT features, including remote access to the victim system, keylogging, screenshot taking capabilities, remote shell access, and the like.

After comparing the new attacks with previous KHRAT campaigns, Palo Alto concluded that the malware’s authors have updated their spear phishing techniques and themes and are using multiple methods to download and execute additional payloads using built-in Windows applications. They also expanded their infrastructure mimicking Dropbox, a well-known cloud-based file hosting service.

Although not very prevalent, the RAT has registered an uptick in usage over the past couple of months, the researchers say. The attacks against Cambodian targets was discovered in June, when Palo Alto researchers stumbled upon a malicious Word document designed to contact a server supposedly belonging to Dropbox.

In addition to hiding its network traffic, the document also included the acronym MIWRMP, which refers to the Mekong Integrated Water Resources Management Project, a multi-million dollar project regarding water resources and fisheries management in North Eastern Cambodia, thus seeming legitimate.

The document prompts the user to enable macros, which allows embedded VBA code to run and perform malicious operations, including creating new scheduled tasks and calling functions to run JavaScript code.

Advertisement. Scroll to continue reading.

The researchers also connected the document to the domain name update.upload-dropbox[.]com, which has been hosted on a compromised Cambodian government’s website. The sample fetched from the compromised government servers would launch the legitimate regsvr32.exe program, in an attempt to bypass included Windows protections.

Another component related to the campaign would download an .ico file meant to create three scheduled tasks and use regsvr32.exe to download and execute three other .ico files. A DLL component was also associated with the campaign, but wasn’t downloaded and executed, the researchers say.

While investigating the KHRAT dropper code, the security researchers also stumbled upon JavaScript code that allows the actor to monitor who is visiting their site. The code would gather data such as user-agent, domain, cookie, referrer and Flash version, and appears almost identical to that found on a blog hosted on the Chinese Software Developer Network (CSDN) website.

“This most recent campaign highlights social engineering techniques being used with reference and great detail given to nationwide activities, likely to be forefront of peoples’ minds; as well as the new use of multiple techniques in Windows to download and execute malicious payloads using built-in applications to remain inconspicuous which is a change since earlier variants,” Palo Alto notes.

The researchers conclude that the threat actors behind KHRAT have updated both the malware and their tactics, techniques and procedures (TTPs) over the course of 2017. These changes are meant to help the actor produce more successful attacks.

“Other notable actions by the threat actors included updated infrastructure purporting to be part of either the well-known cloud-based company, Dropbox, or a travel agency, likely to appear genuine, masquerading traffic under the premise of other applications to communicate with the attack infrastructure, some of which included compromised Cambodian Government servers,” the researchers conclude.

Related: China-Linked Spies Use Recent Zero-Day to Target Financial Firms

Related: China-Linked “DragonOK” Group Expands Operations

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...