KHRAT is a backdoor trojan associated with the China-linked cyber espionage group, DragonOK. The trojan allows threat actors to access the targeted system remotely and log keystrokes, capture screenshots, and access remote shell, among other capabilities. Additionally, it registers victims using the machine's username, system language, and local IP address. KHRAT most often infects victims via spearphishing emails, using Windows applications for downloading and executing payloads. It also has an infrastructure designed to mimic the popular file-sharing application, Dropbox. The trojan was used in a spearphishing campaign in June 2017 targeting Cambodia. The emails contained a Microsoft Word document, purportedly regarding a water and fisheries project in Cambodia, that prompted the user to enable macros, allowing embedded VBA code to run and perform malicious activity. Researchers at Palo Alto Networks connected the document to the domain name "update.upload-dropbox[.]com" which was hosted on a compromised Cambodian government's website. Once the document is opened and the macros are enabled, KHRAT launches "regsrv32.exe," a legitimate program, in an attempt to bypass Windows protections. Additionally, the trojan's code allows the actor to monitor who is visiting the site, gathering data such as user-agent strings, domain, cookie, referrer, and Flash version. The group behind KHRAT, DragonOK, is also associated with the PlugX and ZeroT trojans and have previously targeted organizations in Japan and Taiwan.

Technical Details

Palo Alto Networks provides technical analysis on the KHRAT, here.

Trojan VariantsNJCCICKHRAT