Palo Alto Networks spots increase in KHRAT attacks

Researchers from Palo Alto Networks security team Unit 42 report an increase in attacks by KHRAT. The Code 42 researchers say that since June there has been a slight increase in visibility of KHRAT as it starts to use new techniques to infect machines. These new techniques represent a so-far unrealised potential, though KHRAT has managed to infect Cambodian government servers.

What is KHRAT?

First noticed in January by Forcepoint, KHRAT is a remote access trojan (RAT) using command and control (C&C) servers in Cambodia. It was installed onto users machines using a modified Adobe Reader installer.

KHRAT only runs on computers where the user has administrator privileges. This is so that it can use elevated privileges for its code. It then registers itself to a C&C server and sends the infected machine’s username, system language and local IP address. The RAT allows the attacker to install new malware on the computer and uses a keylogger to capture information from the local machine. Forcepoint concluded that KHRAT was simply a rehash of code sitting on Chinese code sharing sites.

What are the new attack vectors?

Unit 42 researchers Alex Hinchliffe and Jen Miller-Osborn say the uptick that they have noticed include new attacks and techniques. They call out some key elements of the attack which includes:

  • Updated spear phishing techniques and themes. The attack is hidden inside a Word document called: Mission Announcement Letter for MIWRMP phase 3 implementation support mission, June 26-30, 2017(update).doc”. When users open the document, its asks them to enable editing and content. If they do this then malicious code in the form of VBA macros are able to execute. This then displays a message saying that the document cannot be opened due to compatibility issues. Hinchcliffe and Miller-Osborn believe that this is a distraction technique. The malware is now installed on the local machine; it doesn’t matter if they delete and close the document.
  • Multiple techniques to download and execute additional payloads using built-in Windows applications. The malicious code in the document makes a number of changes to the local machine. It creates new scheduled tasks and tricks the infected machine into executing some JavaScript code. It also makes a number of changes to the Windows registry allowing it to register infected .DLL files.

Russian IP addresses and fake Dropbox installation

Once KHRAT is installed on the local machine Unit 42 highlights others actions:

  • Expanded infrastructure mimicking the name of the well-known cloud-based file hosting service, Dropbox. The JavaScript code executed by KHRAT makes a call over HTTP Port 80 to what appears to be a Dropbox installer. In reality this points to a fake Dropbox infrastructure using an IP address located in Russia. From here the software can download additional malicious code.
  • Compromised Cambodian government servers – As well as using the IP address in Russia, Unit 42 has detected KHRAT using compromised Cambodian government servers past of the C&C mechanism.

Infected domains associated with other countries

In addition to these two sites, Unit 42 researchers say that there are other fake domains in play:

  • one of these is called inter-ctrip[.]com and is designed to look as if it is affiliated with two well-known travel websites based in China and the US
  • the other domain is a previously unreported malicious site vip53[.]cn.

The researchers tracked both of these additional domains. They link back to compromised wireless devices in Vietnam and Singapore.

What does this mean?

“This most recent campaign highlights social engineering techniques being used with reference and great detail given to nationwide activities, likely to be forefront of peoples minds; as well as the new use of multiple techniques in Windows to download and execute malicious payloads using built-in applications to remain inconspicuous which is a change since earlier variants” note Alex Hinchliffe and Jen Miller-Osborn.

The use of servers appearing to be owned by Dropbox and the Cambodian government is an obfuscation technique. This is likely to persuade some users that the traffic is legal. In additional, Unit 42 says that the click tracking software: “is not something we have found to date in use by many groups.”

All of this lead them to believe that this is indicative of a sophisticated threat actor group which they will continue to monitor.

Despite this, the number of instances of KHRAT spotted by the researchers is relatively low. For companies with offices and users in Cambodia there is a need to take preventative actions. In the blog the researchers provide a list of indicators of compromise. There is also an extensive list of domains highlighted at the end of the blog. IT security teams should add these to blacklists.


Please enter your comment!
Please enter your name here