Research Saturday 10.28.17
Ep 7 | 10.28.17

Tracking a Trojan: talking KHRAT with Ryan Olson — Research Saturday


Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday.

Dave Bittner: [00:00:07] I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:23] I'd like to tell you a little bit about our sponsor, Cybrary, the people who know how to empower your security team. Cybrary is the learning and assessment tool of choice for IT and security teams at today's top companies. They deliver the kind of hands on training fifty-five percent of enterprises say is the most important qualification when they're hiring. And once you hire, you want to retain. And Cybrary helps there too, because seventy percent of employees say professional development is a big reason for staying on board. Visit, and see what they can do for your organization. Not only is it effective, it's affordable too, costing just about a twelfth of what legacy approaches to training would set you back. So contact Cybrary for a demo. That's, and tell them the CyberWire sent you.

Ryan Olson: [00:01:20] The story of KHRAT is relatively small from the scale of the impact, a small number of individuals.

Dave Bittner: [00:01:27] That's Ryan Olson, the Director of Threat Intelligence at Palo Alto Networks. Their Unit 42 Threat Intelligence Team recently observed activity involving the Remote Access Trojan they call KHRAT, used by threat actors to target citizens in Cambodia.

Ryan Olson: [00:01:43] This is a malware tool--that's a Remote Access Tool or a Remote Access Trojan, depending on your terminology--that we associate with a group that's called DragonOK. This is an espionage group that we've seen targeting people for the last three or four years. They use a series of different, basically, malware tools, different kinds of backdoors, different techniques, to compromise organizations and then to steal their information.

Ryan Olson: [00:02:09] We've seen them target all sorts of types of organizations: folks in high tech, folks in heavy industry, NGOs, national embassies. They really do sort of have broad targeting, but when they go after someone, it's pretty specific. It's not the kind of thing--attacks from DragonOK using KHRAT--aren't the kind of thing that just any individual's typically going to experience.

Ryan Olson: [00:02:32] So to back up a little bit, KHRAT was first discovered and detailed by Forcepoint back in March. They named it KHRAT because the malware was targeting individuals and hosting their command and control structure on infrastructure in Cambodia, and ".kh" is the top-level domain for Cambodia. So they gave it that name. They gave us some description of how it operated and described some of the attacks that it had used in, and linked it back to this other group, DragonOK.

Ryan Olson: [00:03:01] We've been monitoring it since then. Palo Alto Networks collects a lot of malware. We have this big platform that's deployed globally. All of the files that pass through firewalls and get analyzed in our Wildfire Cloud, all the data from that, all the analysis reports, it all runs into this big system that we have, called AutoFocus. And then the researchers on my team and elsewhere in the company, we look at that data. We build tools, we build rules basically, to help alert us when we see something of interest.

Ryan Olson: [00:03:29] So one of the researchers in our team, Alex Hinchliffe, actually identified that a new KHRAT sample had passed into our platform, and started investigating it in June. And KHRAT is a relatively straightforward backdoor. Backdoors can have lots of different features to them. Sometimes we see commercial backdoors that have all these amazing features. They turn on your video camera, they can record your audio, you know, they've got really sophisticated GUIs to make it easy for the attacker to sort of walk through your system.

Ryan Olson: [00:04:03] KHRAT seems relatively simple though. It gives you basic access to the file system so they can, you know, read and write files, upload them back to the command-and-control server. It can log keystrokes, it can capture screenshots, and it can basically open a command prompt. So if the attacker wanted to, they could type any command they want to, run it on the Windows host.

Dave Bittner: [00:04:20] So take us through, how is this attack delivered?

Ryan Olson: [00:04:24] So the delivery is actually pretty interesting. In this case, the file that we picked up, the file that was uploaded into our cloud, was a Word document, and it was a Word document that had a filename and sort of a description that was related to, basically, an infrastructure development project happening on the Mekong River in Cambodia.

Ryan Olson: [00:04:44] So in this case what we picked up was not a whole email. There wasn't an email passing through our network, but we got this file, this Word document. And the Word document, when you open it up, it would display a message to you. It was basically going to say, hey, if you want to see the content of this file, you need to click "enable content" at the top.

Ryan Olson: [00:05:02] This is actually a really common technique that we've seen a lot of attackers pick up, basically starting in October of 2014 and just ramping up from there. And when you click that enable content button, while it might display content to you, it might actually show you some additional information, what you're really doing is telling Word, I trust this document and you can enable macro code to run inside it. That enable content button, as you've probably heard in many attacks, has become an extremely dangerous button to press.

Ryan Olson: [00:05:33] And that macro code in this Word document, what it did is reach out to another website. In this case, the website used the domain upload-dropbox[.]com, which is, you know, sort of a look-alike domain for Dropbox. It's not really owned by Dropbox, but if someone were to see network traffic to it they might not think it was suspicious. And what it was going to do is access a file there that was called something like "file.jpeg." The content of that file wasn't actually a JPEG, it wasn't an image. It was actually some WScript, some Windows Scripting Engine code, which would then get executed by the macro, which would reach out to the same server again, upload-dropbox[.]com, and download another file that looked like it was an image, but it was actually a DLL, and that DLL was KHRAT.

Ryan Olson: [00:06:22] At that point the macro would run the DLL. It would start operating on the system, it would install itself so that any time the system rebooted it would keep running, and it would give the attacker access to that host over its command-and-control channel, which happens over more HTTP requests basically to another server.

Dave Bittner: [00:06:39] So take us through the way that it masquerades as being a Dropbox infrastructure.

Ryan Olson: [00:06:45] So you can create basically any domain that you want to. If I wanted to go and register, you know, "the-cyberwire[.]com," I could go and do that if it wasn't already registered.

Dave Bittner: [00:06:57] Hey, hey, hey, back off there, buddy. (Laughs)

Ryan Olson: [00:06:59] If wanted to, I could go and do that. And you might be able to make a claim and say, hey, you're violating my copyright and we can go to arbitration to try and transfer that back, but, you know, domains are available. People can register them, you can register them with small typos in them, you can register them with dashes where there weren't normally dashes. A lot of companies, you know, register domains defensively because they think they might be used by attackers or people who are trying to damage their brand, so they'll register a whole bunch of domains in advance. In this case, this upload-dropbox[.]com, was registered by an attacker.

Ryan Olson: [00:07:31] And if you think about this from the network defenders perspective, let's say you're sitting down, you're looking for suspicious traffic, and you see a HTTP request. Basically access to a website that looks like it's on upload-dropbox[.]com, and it looks like it's going for a file called, you know, "file.jpeg." That looks a lot less suspicious than something that's on some big, random-looking domain, or just a direct connection to an IP address, and it's a file that's called, you know, "malware[.]exe" or "malware[.]dll." In either one of those cases, that would look a lot more suspicious, that would pop out as something that that guy should go and investigate, that that analyst should go and say, hey, this is something that's out of the ordinary.

Ryan Olson: [00:08:12] So this is, I mean, it's not a super sophisticated technique to try and mask your activity. But anything that an attacker can do, to sort of decrease the likelihood that you're just going to get picked up by chance, oftentimes is worthwhile. So there's lots of these kinds of, you know, basic sort of obfuscation techniques that attackers use.

Ryan Olson: [00:08:33] One of the downsides of actually going and registering your own domain, and doing it in this way, is that, you know, it becomes memorable. It's the kind of thing that another analyst in my team, if we see traffic that's going to this domain in the future, we'll know, hey, that's related to that KHRAT RAT attack. We can also keep a nice list of all the domains they've used, and get a better understanding of sort of the patterns that they use as well. In this case, it wasn't just upload-dropbox[.]com. They actually used a few subdomains of that. So, you know, "stuff.upload-dropbox[.]com" as the domain that was being contacted.

Dave Bittner: [00:09:05] Take us through the installation and the persistence.

Ryan Olson: [00:09:08] Sure, so once KHRAT is actually on the system--this is that DLL that's actually going in and running on the host--it gets written to the file system. A registry key gets created, so that when the system reboots, it's going to keep running. It's relatively straightforward. Nothing that's, you know, completely out of the ordinary.

Dave Bittner: [00:09:28] Would your standard antivirus detect this sort of thing?

Ryan Olson: [00:09:31] It's possible for antivirus to detect any kind of RAT like this; it just depends on what they know about. One of the big downsides of signature-based detection is that the antivirus program has to be aware of what it looks like before it can detect it. Most antivirus engines at this point also contain some sort of behavioral detection capabilities so that they can look at sort of how it's operating, whether or not it's doing malicious things.

Ryan Olson: [00:09:55] The technology that we operate does something very similar, where it'll actually run these files basically in a sandbox to see, does it do anything that looks suspicious, and compare those, you know, this one file to three-and-a-half billion other files to discover, does it look like the good ones or does it look like the bad ones? So it's possible that it was detected. I don't actually have the data on whether or not it was detected directly by AV signatures on the day of.

Ryan Olson: [00:10:18] But a lot of attackers, especially when you're launching a really low, sort of low and slow attack, you're targeting, you know, five or ten people at a time. it's pretty simple to get a copy. One, you can do reconnaissance. Find out, these companies, these organizations I'm targeting, what antivirus program do they use? That's actually relatively easy to find out through, you know, searching LinkedIn, through searching for job postings. If a company is, you know, got a position open where they are looking for someone who has skills around a certain antivirus product, it's really easy to know that's what they're using.

Ryan Olson: [00:10:50] And then you can upload that file to an AV testing service and say, has it been detected by this program or not? And if it's not, fantastic. Go and send your malware there, because you know it's not going to be picked up. So in this case, like I said, I don't know the exact detections for the DLL at the time, but it's not the kind of thing that you know is going to be detected right off the bat.

Dave Bittner: [00:11:10] Now in this case there was also the clever use of a click tracker.

Ryan Olson: [00:11:15] Yeah, so we saw this interesting overlap with this click tracker. Basically, on the command-and-control server itself, there was some other content that was included with this JavaScript click tracker. And a click tracker is the kind of thing that you would see used in lots of different websites. It's the kind of thing that advertising companies use to track whether or not people have viewed various pages.

Ryan Olson: [00:11:39] So this is basically just a reconnaissance tool, effectively to say, who's actually going and touching this website? Now in this case, the click tracker that was installed on this host, that was on the same server as the command-and-control server, we don't know exactly how it was connected to the KHRAT. It's possible that there was a direct connection, it's possible that it was being used for different purposes by the same attacker. But it did give them the ability to track who was visiting this web server. Is it people who are infected with the malware potentially, or is it other folks who are just sort of accessing the server?

Dave Bittner: [00:12:13] In terms of attribution, what are your conclusions there?

Ryan Olson: [00:12:16] We've attributed previous attacks related to the tools that DragonOK has used in the past. One thing, Palo Alto Networks in general doesn't attribute attacks to nation-states in particular. And the main reason for that is, as a company, our sort of vantage point, one, I'm an intelligence analyst, I've been working in this industry for over a decade, and one thing that I know, is that I oftentimes don't have enough information to make a conclusion, especially, you know, a conclusive statement that one attack was really launched by a nation-state, by a particular nation-state.

Ryan Olson: [00:12:52] I can make guesses based off of their intent, based off of capabilities around the kind of adversary who might have been responsible for particular kinds of attacks. But, since I'm not law enforcement and I'm not, you know, a government agent who might have access to additional information garnered from hosts that were used for operating the malware and other things like that, I'm rarely in a position where I can make that conclusive sort of answer.

Ryan Olson: [00:13:16] The second thing is, my customers in general, it doesn't help them to know that it's a specific nation-state necessarily. It's interesting for sure, but it doesn't really change how they're going to defend against that attacker. What they're really interested is, how capable are they, who have they attacked in the past, what kind of operations do they launch, and what can I do to keep them out of my network? So that's really what we focus on.

Ryan Olson: [00:13:39] So in our case, we associate all this activity with DragonOK, that's the code name that we use for it. These new attacks using KHRAT, we also linked back to DragonOK, as well as probably five or six tools that we've seen them use in the past. They're distinct tools that are only used by this one group.

Ryan Olson: [00:13:54] And they attack a lot of people, and their primary goal seems to be stealing information. They're not targeting people like my mom to hold her data for ransom. They're targeting high-end organizations in very specific ways, which gives us a really different kind of profile than a traditional criminal attack.

Dave Bittner: [00:14:12] Given the targeting of these types of attacks, and that they're not going after broad consumers or things like that, you know, they know who they're going after, and they have specific targets. What are the broader take-homes from your analysis of this KHRAT?

Ryan Olson: [00:14:28] So, for the kinds of organizations who might be targets of a group like DragonOK, I think it's important for them to understand what this group's tactics are now, what they have been in the past, and the fact that they are using this new remote administration tool. They've got a new component in their tool kit, and they're launching attacks with it.

Ryan Olson: [00:14:48] For everybody else, which is the vast majority population, the takeaway I would have is mostly around, this is a very sophisticated group, writing their own malware, and the way that they've chosen to target people is to send them e-mails with Word documents in them that have macros, that they just, someone has to click "enable content," and it's going to compromise their computer.

Ryan Olson: [00:15:10] And this is a technique that's used by tons of cyber criminals, people who are launching all sorts of kinds of attacks, and the same two types of actors are using the exact same technique. And the reason for that is not because they don't have anything better, it's because it works so well. It doesn't require any technical vulnerability.

Ryan Olson: [00:15:28] There are certainly things that administrators can do to stop it. Administrators can make the choice and act through Group Policy to say, let's disable for our entire enterprise the ability to run macros in Word, or do that based off of, you know, active directory groupings.

Ryan Olson: [00:15:43] But for people at home, where you don't have an administrator who's going to make that choice, disable macros. You almost never need them. Turn them off, search on whatever version of Windows and whatever version of Office you're using to disable macros entirely, and just--even if you don't have them disabled--don't click enable content. Unless the file is absolutely one that you have to run a macro in, which is relatively rare, keep that feature off. It is just too risky.

Dave Bittner: [00:16:11] Our thanks to Ryan Olson from Palo Alto Networks for joining us.

Dave Bittner: [00:16:15] And thanks again to our sponsor, Cybrary, for making this addition of Research Saturday possible. Visit, and see what they can do for your organization. Don't forget to check out our CyberWire Daily News Brief and podcast, along with interviews, our glossary, and more on our website, The CyberWire Research Saturday is produced by Pratt Street Media. Our coordinating producer is Jennifer Eiben, editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.