# Trojanized Adobe installer used to install DragonOK’s new custom backdoor **[forcepoint.com/de/blog/x-labs/trojanized-adobe-installer-used-install-dragonok-s-new-custom-backdoor](https://www.forcepoint.com/de/blog/x-labs/trojanized-adobe-installer-used-install-dragonok-s-new-custom-backdoor)** March 29, 2017 Since January of this year, Forcepoint Security Labs™ have observed that the DragonOK campaign have started to target political parties in Cambodia. DragonOK is an active targeted attack that was first [discovered in 2014. It is](https://www.scmagazine.com/moafee-and-dragonok-apt-groups-leverage-similar-attack-tools-techniques/article/539927/) [known to target organizations from](http://www.securityweek.com/china-linked-dragonok-group-expands-operations) Taiwan, Japan, Tibet and Russia with spear-phishing emails containing malicious attachments. The latest dropper they used is disguised as an Adobe Reader installer and installs yet another new custom remote access tool (RAT). We have named this RAT “KHRAT” based on one of the command and control servers used, kh[.]inter-ctrip[.]com, which pertained to Cambodia’s country code. ## Dropper The trojanized installer is a RAR SFX file that has the filename “reader112_en_ha_install.exe”. It contains both a legitimate Adobe Reader installer and a malicious VBScript file: ----- As a result, when the malware is executed, the user is presented with the legitimate Adobe installer prompt while the malicious VBScript executes in the background. Below is a code snippet of the VBScript: Upon deobfuscating the script, the following code is revealed which installs of a portable executable (PE) file embedded in the script: ----- As can be seen above, the PE file is dropped as %USERPROFILE%\USER.DAT and is executed with a parameter "K1". This PE file is KHRAT, which will be discussed in the next section. ## KHRAT KHRAT is a small backdoor that has three exports (functions), namely, K1, K2, and K3. K1 checks if the current user is an administrator. If not, it uninstalls itself by calling the K2 function. Otherwise, it creates the following registry as a persistence mechanism and then calls the function K3: ``` HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Run = ""%USERPROFILE%\SysWOW64.com" %USERPROFILE%\USER.DAT,K1" ``` ----- K3 then elevates the malware s privilege, by giving itself SE_DEBUG_PRIVILEGE privileges via a RtlAdjustPrivileges call, and proceeds to communicate to its command and control (C2) server. The malware initially registers itself to the C2 server by sending the infected machine’s username, system language, and local IP address. All communication to and from the C2 server are encrypted in byte-wise XOR. Below is a code snippet showing this routine prior to sending data to the malware C2: KHRAT is capable of executing the following backdoor commands: Provide access to the file system Log keystrokes Capture screenshots Enumerate processes Open a remote DOS command access Furthermore, the following table provides a timeline of KHRAT's appearances, with one appearing earlier this month: **SHA-256** **Compilation** **Timestamp** 17a07b1f5e573899c846edba801f1606ce8f77c2f52e3298d2d2b066730b0bf0 05/01/2017 05:37 a5a9598e1d33331f5aeabb277122549d4a7cf1ddbfa00d50e272b57934a6696f 05/01/2017 05:37 540d6dd720514cf01a02b516a85d8f761d77fa90f0d05f06bfb90ed66beb235b 16/02/2017 03:53 ffc0ebad7c1888cc4a3f5cd86a5942014b9e15a833e575614cd01a0bb6f5de2e 08/03/2017 01:43 ## Protection statement ----- [Forcepoint customers are protected against this threat via TRITON® ACE at the following](https://www.forcepoint.com/innovation/technology/triton-ace?cmpid=slbl) stages of attack: Stage 5 (Dropper File) - Related malware components are prevented from being downloaded and/or executed. Stage 6 (Call Home) - Connections to the KHRAT command and control servers are blocked. ## Conclusion [KHRAT’s code is reminiscent of the backdoors used in HeartBeat and](http://blog.trendmicro.com/trendlabs-security-intelligence/pulsing-the-heartbeat-apt/) [Bioazih campaigns](https://blogs.technet.microsoft.com/mmpc/2015/04/13/bioazih-rat-how-clean-file-metadata-can-help-keep-you-safe/) where the coding style is straight forward and the malware itself provides basic backdoor functionalities to the attackers. This leads us to believe that KHRAT is simply a rehash of codes that are available on Chinese code sharing sites. Nonetheless, this would seem enough for the attackers in this case as KHRAT variants currently have a low detection rate. We have listed below the related IOCs to help augment industry coverage for this new threat. ## Indicators of Compromise ### Files ``` bba604effa42399ed6e91c271b78b442d01d36d1570a9574acacfc870e09dce2 ("reader112_en_ha_install.exe", dropper) ffc0ebad7c1888cc4a3f5cd86a5942014b9e15a833e575614cd01a0bb6f5de2e (“USER.DAT”, KHRAT) 9cdebd98b7889d9a57e5b7ea584d7e03d8ba67c02519b587373204cae0603df0 (RTF dropper with CVE-2015-1641 exploit, unknown filename) d9ce24d627edb170145fb78e6acb5ea3cb44a87cd06c05842d78f4fc9b732ec5 (“KFC.exe”, KHRAT loader) a5a9598e1d33331f5aeabb277122549d4a7cf1ddbfa00d50e272b57934a6696f (“MSKV.DAT”, KHRAT) a6e22dfe21993678c6f1b0892c2db085bb8c4342bdf78628456f562d5db1181b (“The plan CPP split CNRP!.doc.exe”, dropper) 77354141d22998d7166fd80a12d9b913199137b4725495bd9168beb5365f69e7 (“KFC.com”, KHRAT loader) 540d6dd720514cf01a02b516a85d8f761d77fa90f0d05f06bfb90ed66beb235b (“MSKV.DAT”, KHRAT) 17a07b1f5e573899c846edba801f1606ce8f77c2f52e3298d2d2b066730b0bf0 (“MSKV.DAT”, KHRAT) KHRAT C2s cookie[.]inter-ctrip[.]com help[.]inter-ctrip[.]com bit[.]inter-ctrip[.]com kh[.]inter-ctrip[.]com Über Forcepoint ``` ----- Forcepoint ist einer der weltweit führenden Anbieter von Cyber-Sicherheit im Bereich Anwender- und Datensicherheit und hat es sich zur Aufgabe gemacht, Organisationen zu schützen und gleichzeitig die digitale Transformation und das Wachstum voranzutreiben. Unsere Lösungen passen sich in Echtzeit an das Nutzerverhalten an und ermöglichen Mitarbeitern einen sicheren Datenzugriff bei voller Produktivität. [Erfahren Sie mehr über Forcepoint](https://www.forcepoint.com/de/company/about-us) -----