Trojanized Adobe installer used to install DragonOK’s new custom backdoor

Dropper

The trojanized installer is a RAR SFX file that has the filename “reader112_en_ha_install.exe”. It contains both a legitimate Adobe Reader installer and a malicious VBScript file:

As a result, when the malware is executed, the user is presented with the legitimate Adobe installer prompt while the malicious VBScript executes in the background. Below is a code snippet of the VBScript:

Upon deobfuscating the script, the following code is revealed which installs of a portable executable (PE) file embedded in the script:

As can be seen above, the PE file is dropped as %USERPROFILE%\USER.DAT and is executed with a parameter "K1". This PE file is KHRAT, which will be discussed in the next section.

KHRAT

KHRAT is a small backdoor that has three exports (functions), namely, K1, K2, and K3. K1 checks if the current user is an administrator. If not, it uninstalls itself by calling the K2 function.

Otherwise, it creates the following registry as a persistence mechanism and then calls the function K3:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Run = ""%USERPROFILE%\SysWOW64.com" %USERPROFILE%\USER.DAT,K1"

K3 then elevates the malware’s privilege, by giving itself SE_DEBUG_PRIVILEGE privileges via a RtlAdjustPrivileges call, and proceeds to communicate to its command and control (C2) server. The malware initially registers itself to the C2 server by sending the infected machine’s username, system language, and local IP address.

All communication to and from the C2 server are encrypted in byte-wise XOR. Below is a code snippet showing this routine prior to sending data to the malware C2:

KHRAT is capable of executing the following backdoor commands:

• Provide access to the file system
• Log keystrokes
• Capture screenshots
• Enumerate processes
• Open a remote DOS command access

Furthermore, the following table provides a timeline of KHRAT's appearances, with one appearing earlier this month:

Protection statement

Forcepoint customers are protected against this threat via TRITON® ACE at the following stages of attack:

Stage 5 (Dropper File) - Related malware components are prevented from being downloaded and/or executed.
Stage 6 (Call Home) - Connections to the KHRAT command and control servers are blocked.

Conclusion

KHRAT’s code is reminiscent of the backdoors used in HeartBeat and Bioazih campaigns where the coding style is straight forward and the malware itself provides basic backdoor functionalities to the attackers. This leads us to believe that KHRAT is simply a rehash of codes that are available on Chinese code sharing sites. Nonetheless, this would seem enough for the attackers in this case as KHRAT variants currently have a low detection rate. We have listed below the related IOCs to help augment industry coverage for this new threat.

Indicators of Compromise

Files

bba604effa42399ed6e91c271b78b442d01d36d1570a9574acacfc870e09dce2 ("reader112_en_ha_install.exe", dropper)
ffc0ebad7c1888cc4a3f5cd86a5942014b9e15a833e575614cd01a0bb6f5de2e (“USER.DAT”, KHRAT)

9cdebd98b7889d9a57e5b7ea584d7e03d8ba67c02519b587373204cae0603df0 (RTF dropper with CVE-2015-1641 exploit, unknown filename)
d9ce24d627edb170145fb78e6acb5ea3cb44a87cd06c05842d78f4fc9b732ec5 (“KFC.exe”, KHRAT loader)
a5a9598e1d33331f5aeabb277122549d4a7cf1ddbfa00d50e272b57934a6696f (“MSKV.DAT”, KHRAT)

a6e22dfe21993678c6f1b0892c2db085bb8c4342bdf78628456f562d5db1181b (“The plan CPP split CNRP!.doc.exe”, dropper)
77354141d22998d7166fd80a12d9b913199137b4725495bd9168beb5365f69e7 (“KFC.com”, KHRAT loader)
540d6dd720514cf01a02b516a85d8f761d77fa90f0d05f06bfb90ed66beb235b (“MSKV.DAT”, KHRAT)

17a07b1f5e573899c846edba801f1606ce8f77c2f52e3298d2d2b066730b0bf0 (“MSKV.DAT”, KHRAT)

KHRAT C2s

cookie[.]inter-ctrip[.]com
help[.]inter-ctrip[.]com 
bit[.]inter-ctrip[.]com
kh[.]inter-ctrip[.]com