Threat Research

The Curious Case Of The Document Exploiting An Unknown Vulnerability – Part 2: RATs, Hackers and Rihanna

By Roland Dela Paz | August 24, 2015

Previously my colleague Wayne talked about an interesting document exploit targeting CVE-2015-1641. In this post, we will talk about who might be behind the attack.

We start our correlation with the analysis of the exploit payload - a remote administration tool (RAT) with MD5 6bde5462f45a230edc7e7641dd711505 (detected as MSIL/Agent.QOO!tr). This RAT looks new to us; hence we suspected that it may either be a new RAT family or a custom RAT that was developed for a specific attacker (hacker). It is compiled with Microsoft Visual Basic .NET with the following backdoor commands listed in its code:

Figure 1

Figure 1. RAT backdoor commands

It also contains the following program database (PDB) reference in its code:

D:\\1-Visual Basic Proggetti\\UtilityWarrior\\UtilityWarrior\\obj\\Debug\\UtilityWarrior.pdb

As such, we will call this RAT “Utility Warrior”.

Utility Warrior connects to the C&C server which resolves to We have seen quite a few malicious DNS names pointing to this IP address including Interestingly, serves as a C&C server for (at least) 3 AlienSpy RAT with MD5’s 7bb1f568a9877c1177a134a273ad744f, b411d5fd45711e2223d0d85e84850d3f, and 7f44125412432e2533fb76cf49642dd1 where the last 2 MD5s also connects to another site - - to download further components. Below is a graph of these relationships:

Figure 2. Relationship of Utility Warrior to other AlienSpy RATs, on the other hand, shows the following registrar information which is obviously fake:

Figure 3. Registration information for

However based on our research, the email was also used to register a number of other dodgy domains. This includes and which hosted some more unknown/custom RATs. These RATs phoned home to the exact same C&C IP address,

Figure 4. Other domains registered by


An interesting email address in our hands leads to the question - who is hktristars?

We found the following Freelancer profile:

Figure 5. profile for the handle hktristars

There is not much information on this profile. However we can see that the user is from Nigeria. Also the fact that Hktristars created a profile on a Freelancer site may indicate the man behind it may not have a regular day job. But what has he been doing?

We saw the following post from the same handle in the forum

Figure 6. hktristars' post on

To those unfamiliar, Virtual Network Computing (VNC) backconnect allows a hacker to open a backdoor to a machine while bypassing Windows firewall. 

We were also able to locate the following advertisements from the same handle where he appears to be looking for someone to code an obfuscation program and RAT for him:

Figure 7. Hktristars looking for a developer of an obfuscation program

Figure 8. Hktristars looking for a RAT developer

Additionally, it appears that Hktristars uses the services of SBXChanger, an E-currency exchange site:

Figure 9. Hktristars' feedback on SBXChanger

For someone who facilitates illegal activities online, this makes sense as e-currency provides crooks the benefit of anonymity.

Finally, the email address revealed the following Google Plus profile with the name “pawan chohan”:

Figure 10. Hktristars' Google Plus profile

Again, there is not much information available; but we noticed that all the contacts of this profile are individuals from Nigeria also. The name "Pawan Chohan" sounds more like an Indian name than Nigerian, so it is likely a fake name. However for the sake of calling him a name, let's use Pawan anyway.

At this point we can tell that Pawan, a.k.a. Hktristars, is more than likely a Nigerian hacker. He also outsources his tools to third parties by posting advertisements in order to conduct cybercrime. This aligns with our findings in part 1 of this blog where we found that CVE-2015-1641 exploits are available for sale on the Internet. But where did he buy the Utility Warrior RAT?

Utility Warrior RAT and “Dodosky”

In figure 4 above we can see that one of the custom RATs Pawan used is 84f169c2ff66175c415dca6e3d1d7a11 (detected as W32/Teno.3E61!tr). This RAT’s code - also developed in Visual Basic - contained the following Structure with an interesting string “DODOSKY”:

Figure 11. W32/Teno.3E61!tr's struct code

Searching the same string online leads to a Youtube account with title “Dodosky™ | Hacking & Modding”. The home page includes a video advertisement of a RAT that the user developed. Although it is a different RAT from W32/Teno.3E61!tr, it is also written in Visual Basic. We can also find a profile description from this account with some interesting details:

Figure 12. Dodosky's youtube profile description

Remember Utility Warrior’s PDB reference? Well, there was no “Dodosky” string in it but it was also compiled in VB .NET. More interestingly, the top level folder contained the word “Progretti” which is an Italian word for “project”:

D:\\1-Visual Basic Proggetti\\UtilityWarrior\\UtilityWarrior\\obj\\Debug\\UtilityWarrior.pdb

Due to these similarities, while not obvious, we believe that Edoardo a.k.a. Dodosky coded both the unknown RAT (W32/Teno.3E61!tr) and Utility Warrior for Pawan, and that Pawan is a regular customer of Edoardo. It is also worth noting that Edoardo also uses the handle "๖ۣۜVekzy๖ۣۜHere" in where he advertises his hacking team who produces malicious tools for sale.


Based on our findings above, we believe that Pawan is an amateur Nigerian hacker who relies on a circle of amateur hackers, such as Edoardo, to buy cybercrime tools and conduct illegal activities. However, Pawan poses a threat to victims of his RAT and may cause considerable damage if the RAT infections are not remediated immediately. Below is a summary of Pawan’s malicious activities:

  • Use of document exploits and macros to drop RATs
  • He used at least 5 unknown/custom RATs
  • It is likely that he uses other commercial RATs aside from AlienSpy, but we are unable to confirm
  • Some of the RATs he used are signed
  • He also registered other domains that is unrelated to his RAT campaigns. Hence, we highly suspect that he is engaged to other online crimes as well.

Fortinet detects all malicious files and blocks all malicious URLs and IPs discovered during this research.

Related IPs and URLs:

Related MD5s:

-= FortiGuard Lion Team =-

Join the Discussion