menu

Contact Us

1 (800) 723-1166 |

Security Labs

HomeSecurity LabsTrojanized Adobe Installer used to Install DragonOK’s New Custom Backdoor
HomeSecurity LabsTrojanized Adobe Installer used to Install DragonOK’s New Custom Backdoor

Trojanized Adobe Installer used to Install DragonOK’s New Custom Backdoor

Since January of this year, Forcepoint Security Labs™ have observed that the DragonOK campaign have started to target political parties in Cambodia. DragonOK is an active targeted attack that was first discovered in 2014. It is known to target organizations from Taiwan, Japan, Tibet and Russia with spear-phishing emails containing malicious attachments. 

The latest dropper they used is disguised as an Adobe Reader installer and installs yet another new custom remote access tool (RAT). We have named this RAT “KHRAT” based on one of the command and control servers used, kh[.]inter-ctrip[.]com, which pertained to Cambodia’s country code.

Dropper

The trojanized installer is a RAR SFX file that has the filename “reader112_en_ha_install.exe”. It contains both a legitimate Adobe Reader installer and a malicious VBScript file:

As a result, when the malware is executed, the user is presented with the legitimate Adobe installer prompt while the malicious VBScript executes in the background. Below is a code snippet of the VBScript:

Upon deobfuscating the script, the following code is revealed which installs of a portable executable (PE) file embedded in the script:

As can be seen above, the PE file is dropped as %USERPROFILE%\USER.DAT and is executed with a parameter "K1". This PE file is KHRAT, which will be discussed in the next section.

KHRAT

KHRAT is a small backdoor that has three exports (functions), namely, K1, K2, and K3. K1 checks if the current user is an administrator. If not, it uninstalls itself by calling the K2 function.

Otherwise, it creates the following registry as a persistence mechanism and then calls the function K3:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Run = ""%USERPROFILE%\SysWOW64.com" %USERPROFILE%\USER.DAT,K1"

K3 then elevates the malware’s privilege, by giving itself SE_DEBUG_PRIVILEGE privileges via a RtlAdjustPrivileges call, and proceeds to communicate to its command and control (C2) server. The malware initially registers itself to the C2 server by sending the infected machine’s username, system language, and local IP address.

All communication to and from the C2 server are encrypted in byte-wise XOR. Below is a code snippet showing this routine prior to sending data to the malware C2:

KHRAT is capable of executing the following backdoor commands:

  • Provide access to the file system
  • Log keystrokes
  • Capture screenshots
  • Enumerate processes
  • Open a remote DOS command access

Furthermore, the following table provides a timeline of KHRAT's appearances, with one appearing earlier this month:

SHA-256 Compilation Timestamp
17a07b1f5e573899c846edba801f1606ce8f77c2f52e3298d2d2b066730b0bf0 05/01/2017 05:37
a5a9598e1d33331f5aeabb277122549d4a7cf1ddbfa00d50e272b57934a6696f 05/01/2017 05:37
540d6dd720514cf01a02b516a85d8f761d77fa90f0d05f06bfb90ed66beb235b 16/02/2017 03:53
ffc0ebad7c1888cc4a3f5cd86a5942014b9e15a833e575614cd01a0bb6f5de2e 08/03/2017 01:43

    

Forcepoint Protection Statement

Forcepoint™ customers are protected against this threat via TRITON® ACE at the following stages of attack:

Stage 5 (Dropper File) - Related malware components are prevented from being downloaded and/or executed.
Stage 6 (Call Home) - Connections to the KHRAT command and control servers are blocked.

Conclusion

KHRAT’s code is reminiscent of the backdoors used in HeartBeat and Bioazih campaigns where the coding style is straight forward and the malware itself provides basic backdoor functionalities to the attackers. This leads us to believe that KHRAT is simply a rehash of codes that are available on Chinese code sharing sites. Nonetheless, this would seem enough for the attackers in this case as KHRAT variants currently have a low detection rate. We have listed below the related IOCs to help augment industry coverage for this new threat.

Indicators of Compromise

Files

bba604effa42399ed6e91c271b78b442d01d36d1570a9574acacfc870e09dce2 ("reader112_en_ha_install.exe", dropper)
ffc0ebad7c1888cc4a3f5cd86a5942014b9e15a833e575614cd01a0bb6f5de2e (“USER.DAT”, KHRAT)

9cdebd98b7889d9a57e5b7ea584d7e03d8ba67c02519b587373204cae0603df0 (RTF dropper with CVE-2015-1641 exploit, unknown filename)
d9ce24d627edb170145fb78e6acb5ea3cb44a87cd06c05842d78f4fc9b732ec5 (“KFC.exe”, KHRAT loader)
a5a9598e1d33331f5aeabb277122549d4a7cf1ddbfa00d50e272b57934a6696f (“MSKV.DAT”, KHRAT)

a6e22dfe21993678c6f1b0892c2db085bb8c4342bdf78628456f562d5db1181b (“The plan CPP split CNRP!.doc.exe”, dropper)
77354141d22998d7166fd80a12d9b913199137b4725495bd9168beb5365f69e7 (“KFC.com”, KHRAT loader)
540d6dd720514cf01a02b516a85d8f761d77fa90f0d05f06bfb90ed66beb235b (“MSKV.DAT”, KHRAT)

17a07b1f5e573899c846edba801f1606ce8f77c2f52e3298d2d2b066730b0bf0 (“MSKV.DAT”, KHRAT)

KHRAT C2s

cookie[.]inter-ctrip[.]com
help[.]inter-ctrip[.]com 
bit[.]inter-ctrip[.]com
kh[.]inter-ctrip[.]com