The Ke3chang hacking group (aka APT15, Vixen Panda, Playful Dragon, and Royal APT) has developed new malware dubbed Ketrum by borrowing parts of the source code and features from their older Ketrican and Okrum backdoors.
“In mid May, we identified three recently uploaded samples from VirusTotal that share code with older APT15 implants. We named this new family of samples, “Ketrum”, due to the merger of features in the documented backdoor families “Ketrican” and “Okrum”.” reads the report published by the security firm Intezer.
“We believe the operation was conducted very recently.”
Back in 2013, the security researchers at FireEye spotted a group of China-Linked hackers that conducted an espionage campaign on foreign affairs ministries in Europe. The campaign was named ‘Operation Ke3chang,’ now threat actors behind the attacks were spotted targeting personnel at Indian embassies across the world.
In May 2016, researchers from Palo Alto found evidence that the threat actors behind the Operation Ke3chang had been active since at least 2010.
The cyber-espionage group is believed to be operating out of China, it also targeted military and oil industry entities, government contractors and European diplomatic missions and organizations.
Intezer researchers recently discovered three Ketrum backdoor samples that were uploaded to the VirusTotal platform, they noticed the samples reused part of the source code and features from Ke3chang’s Ketrican and Okrum backdoors.
“Both Ketrum samples resemble a similar layout to previous Ke3chang tools, apart from low-level implementation and use of system APIs,” continues the analysis. “Even in the two Ketrum samples, there are differences between the low-level APIs used to achieve the same functionality.”
The three Ketrum samples connected to the same Chinese-based command and control server and have been used in two different time periods.
The command and control (C2) server was shut down during mid-May after the Ketrum samples were spotted.
Below the differences between the backdoors:
|Identify installed proxy servers and use them |
for HTTP requests
|Special folder retrieval using registry key[HKEY_CURRENT_USER\Software\|
|The response from the server |
is an HTTP page with backdoor commands
and arguments included in the HTML fields
|Backdoor commands are determined by a hashing value received from C2||❌||✅||❌||❌|
|Communication with the C&C server is hidden in the Cookie and Set-Cookie headers of HTTP requests||❌||✅||✅||❌|
|Impersonate a logged in user’s security context||❌||✅||✅||❌|
|Create a copy of cmd.exe in their working directory and use it to interpret backdoor commands||✅||❌||✅||❌|
|Usual Ke3chang backdoor functionalities – download, upload, execute files/shell commands and configure sleep time||✅||✅||✅||✅|
The Ketrum 1 sample was uploaded to VirusTotal in December 2019 and has a fake January 7, 2010, timestamp, It implements many features from Okrumand abandons more advanced Okrum features
Thee newer Ketrum 2 seems to have been built for minimalism, it drops most of the useless features of the Ke3chang backdoors.
“Unlike the Ketrican variant, Ketrum implants no longer try to weaken the system’s security configurations. In previous implants, Powershell was used for this end.” states the report.
“The group continues to morph its code and switch basic functionalities in their various backdoors. This strategy has been working for the group for years and there is no indication yet that it will deviate from this modus operandi.”
The Intezer’s report includes Indicators of compromised (IOCs) and additional details regarding the new Ketrum malware.
(SecurityAffairs – Ke3chang, hacking)