CyberWire Daily - Tracking a Trojan: KHRAT. [Research Saturday]
Episode Date: October 28, 2017The moniker KHRAT came about because of the identification of a Remote Access Trojan (RAT) with command and control infrastructure found in Cambodia (KH). In the most recent episode of the CyberWire's... Research Saturday, Ryan Olson, Director of Threat Intelligence at Palo Alto Networks, talks with us about the capabilities of KHRAT and shares details the feature set it provides to threat actors that use it. https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/ Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
The story of KHRat is relatively small from the scale of the impact, a small number of individuals.
That's Ryan Olson, the Director of Threat Intelligence at Palo Alto Networks.
Their Unit 42 Threat Intelligence team recently observed activity involving the remote-access Trojan they call KHRAT, used by threat actors to target citizens in Cambodia.
This is a malware tool. It's a remote access tool or remote access Trojan,
depending on your terminology, that we associate with a group that's called Dragon OK.
This is an espionage group that we've seen targeting people for the last three or four years.
They use a series of different, basically, malware tools, different
kinds of backdoors, different techniques to compromise organizations and then to steal
their information. We've seen them target all sorts of types of organizations, folks in high
tech, folks in heavy industry, NGOs, national embassies. They really do sort of have broad targeting.
But when they go after someone, it's pretty specific.
It's not the kind of thing attacks from Dragon OK using KHRAT aren't the kind of thing that just any individual is typically going to experience.
So to back up a little bit, KHRAT was first discovered and detailed by Forcepoint back in March.
detailed by Forcepoint back in March.
They named it KHRAT because the malware was targeting individuals and hosting their command and control structure on infrastructure in Cambodia.
And.kh is the top-level domain for Cambodia.
So they gave it that name.
They gave us some description of how it operated
and described some of the attacks that it used in
and linked it back to this other group, DragonOK.
We've been monitoring it since then. Paliton Networks collects a lot of malware.
We have this big platform that's deployed globally.
All of the files that pass through firewalls and get analyzed in our Wildfire cloud,
all the data from that, all the analysis reports,
it all runs into this big system that we have called Autofocus.
And then the researchers on my team and elsewhere in the company, we look at that data.
We build tools.
We build rules, basically, to help alert us when we see something of interest.
So one of the researchers in our team, Alex Hinchcliffe, actually identified that a new KH rat sample had passed into our platform and started investigating it in June.
And KH rat is a relatively straightforward backdoor. had passed into our platform and started investigating it in June.
And KHRAT is a relatively straightforward backdoor.
Backdoors can have lots of different features to them.
Sometimes we see commercial backdoors that have all these amazing features.
They turn on your video camera.
They can record your audio.
You know, they've got really sophisticated GUIs to make it easy for the attacker to sort of walk through your system.
K-TRAP seems relatively simple, though.
It gives you basic access to the file system so they can, you know, read and write files, upload them back to the command and control server.
It can log keystrokes.
It can capture screenshots.
And it can basically open a command prompt. So if the attacker wanted to, they can type any command they want to, run it on the Windows host.
So take us through how is this attack delivered? So the delivery is actually pretty interesting. In this case, the file that we picked up, the file that was uploaded into our
cloud, was a Word document. And it was a Word document that had a file name and sort of a
description that was related to basically an infrastructure development project
happening on the Mekong River in Cambodia. So in this case, what we picked up was not a whole email.
There wasn't an email passing through our network, but we got this file, this Word document. And the
Word document, when you open it up, it would display a message to you. It was basically going
to say, hey, if you want to see the content of this file, you need to click enable content at the top.
This is actually a really common technique that we've seen a lot of attackers pick up, basically starting in October of 2014 and just ramping up from there.
When you click that enable content button, while it might display content to you, it might actually show you some additional information.
What you're really doing is telling Word, I trust this document and you can enable macro code to run inside it. That enable content button,
as you've probably heard in many attacks, has become an extremely dangerous button to press.
And that macro code in this Word document, what it did is reach out to another website.
Word document, what it did is reach out to another website. In this case, the website used the domain upload-dropbox.com, which is, you know, sort of a lookalike domain for Dropbox. It's not really
owned by Dropbox, but if someone were to see network traffic to it, they might not think it
was suspicious. And what it was going to do is access a file there that was called something
like file.jpg. The content of that file wasn't actually a JPEG.
It wasn't an image.
It was actually some Wscript, some Windows scripting engine code,
which would then get executed by the macro,
which would reach out to the same server again,
upload-dropbox.com,
and download another file that looked like it was an image,
but it was actually a DLL.
And that DLL was khrat. At that point, the macro would actually a DLL. And that DLL was khrat.
At that point, the macro would run the DLL, it would start operating on the system,
would install itself so that anytime the system rebooted, it would keep running,
and it would give the attacker access to that host over its command and control channel,
which happens over more HTTP requests, basically, to another server.
So take us through the way that it masquerades as being a Dropbox infrastructure.
So you can create basically any domain that you want to.
If I wanted to go and register, you know, the cyberwire.com,
I could go and do that if it wasn't already registered.
Hey, back off there, buddy.
If I wanted to, I could go and do that.
And you might be able to make a claim and say,
hey, you're violating my copyright,
and we can go to arbitration to try and transfer that back.
But domains are available.
People can register them.
You can register them with small typos in them.
You can register them with dashes
where there weren't normally dashes.
A lot of companies register domains defensively
because they think they might be used by attackers or people who are trying to damage their brand.
So they'll register a whole bunch of domains in advance.
In this case, this upload-dropbox.com was registered by an attacker.
And if you think about this from the network defender's perspective, let's say you're sitting down.
You're looking for suspicious traffic.
and you're looking for suspicious traffic, and you see a HTTP request, basically access to a website that looks like it's on upload-dropbox.com, and it looks like it's going for a file called
file.jpg. That looks a lot less suspicious than something that's on some big random-looking
domain or just a direct connection to an IP address, and it's a file that's called, you know, malware.exe
or malware.dll. In either one of those cases, that would look a lot more suspicious. It would pop out
as something that that guy should go and investigate, that that analyst should go and
say, hey, this is something that's out of the ordinary. So this is, I mean, it's not a super
sophisticated technique to try and mask your activity, But anything that an attacker can do to sort of decrease the
likelihood that you're just going to get picked up by chance, oftentimes is worthwhile. So there's
lots of these kinds of, you know, basic sort of obfuscation techniques that attackers use.
One of the downsides of actually going and registering your own domain and doing it in
this way is that, you know, it becomes memorable. It's the kind of thing that another analyst in my team,
if we see traffic that's going to this domain in the future,
we'll know, hey, that's related to that KH rat attack.
We can also keep a nice list of all the domains they've used
and get a better understanding of sort of the patterns that they use as well.
In this case, it wasn't just upload-dropbox.com.
They actually used a few subdomains of that.
So, you know, stuff.upload-dropbox.com as the domain that was being contacted.
Take us through the installation and the persistence.
Sure.
So once KHRAT is actually on the system, this is that DLL that's actually going in and running on the host.
It gets written to the file system.
A registry key gets created so that when the system reboots,
it's going to keep running. It's relatively straightforward, nothing that's completely
out of the ordinary. Would your standard antivirus detect this sort of thing?
It's possible for antivirus to detect any kind of rat like this. It just depends on what they
know about. One of the big downsides of signature-based detection is that the antivirus
program has to be aware of what it looks like before it can detect it. Most antivirus engines
at this point also contain some sort of behavioral detection capability so they can look at sort of
how it's operating, whether or not it's doing malicious things. The technology that we operate
does something very similar. We'll actually run these files basically in a sandbox to see,
does it do anything that looks suspicious and compare those, you know, this one file to three
and a half billion other files to discover, does it look like the good ones or does it look like
the bad ones? So it's possible that it was detected. I don't actually have the data on
whether or not it was detected directly by AV signatures on the day of. But a lot of attackers,
especially when you're launching a really low, sort of low
and slow attack, you're targeting, you know, five or 10 people at a time. It's pretty simple to get
a copy. One, you can do reconnaissance, find out these companies, these organizations I'm targeting,
what antivirus program do they use? That's actually relatively easy to find out through,
you know, searching LinkedIn, through searching for job postings. If a company has got a position
open where they are looking for someone who has skills around a certain antivirus product,
it's really easy to know that's what they're using. And then you can upload that file to an
A-B testing service and say, has it been detected by this program or not? And if it's not, fantastic.
Go and send your malware there because you know it's not going to be picked up.
So in this case, like I said, I don't know the exact detections for the DLL at the time,
but it's not the kind of thing that you know is going to be detected right off the bat.
Now, in this case, there was also the clever use of a click tracker.
Yeah, so we saw this interesting overlap with this click tracker,
basically on the command and control server itself.
interesting overlap with this click tracker. Basically on the command and control server itself, there was some other content that was included with this JavaScript click tracker.
And a click tracker is the kind of thing that you would see used in lots of different websites.
It's the kind of thing that advertising companies use to track whether or not people have viewed
various pages. So this is basically just a reconnaissance tool,
effectively to say who's actually going and touching this website. Now, in this case,
the click tracker that was installed on this host that was on the same server as the command
and control server, we don't know exactly how it was connected to the KHRAT. It's possible that
there was a direct connection. It's possible that it was being used for different purposes by the same attacker.
But it did give them the ability to track who is visiting this web server.
Is it people who are infected with the malware potentially, or is it other folks who are just sort of accessing this server?
In terms of attribution, what are your conclusions there?
We've attributed previous attacks related to the tools that DragonOK has used in the past.
One thing, Paladin Networks in general doesn't attribute attacks to nation states in particular.
And the main reason for that is, as a company, our sort of vantage point, one, I'm an intelligence analyst.
I've been working in this industry for over a decade.
And one thing that I know is that I oftentimes don't have enough information to make
a conclusion, especially a, you know, a conclusive statement that one attack was really launched
by a nation state, by a particular nation state. I can make guesses based off of their intent,
based off of capabilities around the kind of adversary who might have been responsible for
particular kinds of attacks. But since I'm not law enforcement and I'm not a government agent who might have access
to additional information garnered from hosts that were used for operating the malware, other things
like that, I'm rarely in a position where I can make that conclusive sort of answer.
The second thing is my customers in general, it doesn't help them to know that it's a specific nation state necessarily.
It's interesting for sure, but it doesn't really change how they're going to defend against that attacker.
What they're really interested is how capable are they?
Who have they attacked in the past?
What kind of operations do they launch and what can I do to keep them out of my network?
So that's generally what we focus on.
So in our case, we associate all this activity with DragonOK.
That's the code name that we use for it.
These new attacks using KHRat, we also link back to DragonOK
as well as probably five or six tools that we've seen them use in the past.
They're distinct tools that are only used by this one group.
And they attack a lot of people,
and their primary goal seems to be stealing information.
They're not targeting people like my mom to hold
her data for ransom. They're targeting high-end organizations in very specific ways, which gives
us a really different kind of profile than a traditional criminal attack. Given the targeting
of these types of attacks and that they're not going after broad consumers or things like that,
that they know who they're going after and they have specific targets.
What are the broader take-homes from your analysis of this KH rat?
So for the kinds of organizations who might be targets of a group like Dragon OK, I think
it's important for them to understand what this group's tactics are now, what they have
been in the past, and the fact that they are using this new remote
administration tool. They've got a new component in their toolkit, and they're launching attacks
with it. For everybody else, which is the vast majority of the population, the takeaway I would
have is mostly around, this is a very sophisticated group writing their own malware, and the way that
they've chosen to target people is to send them emails with Word documents in them that have macros that they just someone has to click
enable content and it's going to compromise their computer. And this is a technique that's used by
tons of cyber criminals, people who are launching all sorts of kinds of attacks.
And the same two types of actors are using the exact same technique. And the reason for that is
not because they don't have anything better.
It's because it works so well.
It doesn't require any technical vulnerability.
There are certainly things that administrators can do to stop.
Administrators can make the choice and act and through group policy to say, let's disable
for our entire enterprise the ability to run macros in Word or do that based off of
Active Directory
groupings. But for people at home where you don't have an administrator who's going to make that
choice, disable macros. You almost never need them. Turn them off, search on whatever version
of Windows and whatever version of Office you're using to disable macros entirely. And just even
if you don't have them disabled, don't click enable content unless the file is absolutely
one that you have to run a macro in, which is relatively rare.
Keep that feature off. It is just too risky.
Our thanks to Ryan Olson from Palo Alto Networks for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with BlackCloak.
Learn more at blackcloak.io The Cyber Wire Research Saturday
is proudly produced in Maryland out of the
startup studios of DataTribe, where
they're co-building the next generation of
cybersecurity teams and technologies.
Our amazing Cyber Wire team is
Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Thanks for listening.