KHRAT Trojan sweeps across Cambodia
The KHRAT Trojan has been spotted targeting citizens of Cambodia with new capabilities and weaponry.
The Remote Access Trojan (RAT) has been in the wild for some time, but this year, more modern variants have emerged.
According to Palo Alto Networks' Unit 42 security team, KHRAT is currently being used by threat actors to target Cambodian citizens, with the overall aim of enslaving PCs, stealing information including system language and IP address, and spying through the use of keylogging, screenshots, and remote shell access.
In a blog post, the group said there has been an uptick in activity in recent months, while the first surge against Cambodian victims was discovered back in June.
KHRAT is now being deployed through fresh spam and phishing campaigns, with fraudulent emails containing weaponized attachments relating to the Mekong Integrated Water Resources Management Project (MIWRMP), a million-dollar scheme funded by the World Bank which is currently being deployed to improve water and fisheries management in North Eastern Cambodia.
One malicious document used to spread the RAT is called "Mission Announcement Letter for MIWRMP phase three implementation support mission, June 26-30, 2017(update).doc," which relates to the project in its current design stage.
The attachment, however, contacts a Russian IP address and uses the domain update.upload-dropbox[.]com in order to dupe victims into believing they are connecting to the legitimate Dropbox cloud storage service.
In addition, the malware was also hosted on the Cambodian Government's website at a time the domain was compromised.
Once downloaded and opened, the crafted Word document then claims the user's Office version isn't compatible, so they must click a link and permit macro content which executes the Trojan.
KHRAT then deploys additional malicious code payloads, modifies the Windows registry, and creates persistence by forcing Microsoft Word to re-execute the Trojan should a document be reloaded from the most recently used document list.
The Trojan also masks its activities using the legitimate regsvr32.exe program, schedules a range of innocent-looking tasks, and creates calling functions to run JavaScript code.
An interesting aspect of the Trojan found within the dropper code is a link to a blog hosted on the Chinese Software Developer Network (CSDN) website which contains an "almost identical" code sample of a click-tracking system in the malware.
"The JavaScript code in probe_sl.js uses a click-tracking technique, presumably so the actors can monitor who is visiting their site," the researchers note. "It may also be an attempt to control the distribution of later stage malware and tools, by only sending it in response to requests from desired victims or vulnerable systems, and dropping requests from others such as researchers."
Palo Alto Networks believes that the threat actors behind KHRAT have evolved the Trojan to include targeted spear phishing and click-tracking in order to more successfully target victims of interest in Cambodia.
Considering the political nature of the spear phishing emails, the campaigns may have the purpose of spying on political rivals or disrupting political activity.
"This most recent campaign highlights social engineering techniques being used with reference and great detail given to nationwide activities, likely to be forefront of peoples' minds," the researchers say. "We believe this malware, the infrastructure being used, and the TTPs (tactics, techniques, and procedures) highlight a more sophisticated threat actor group, which we will continue to monitor closely."