Security researchers at ESET reported that China-linked threat actor APT15 (aka Ke3chang, Mirage, Vixen Panda, Royal APT and Playful Dragon) has been using a previously undocumented backdoor for more than two years. APT15 has been active since at least 2010, it conducted cyber espionage campaigns against targets worldwide in several industries, including the defense, high tech, energy, government, aerospace, and manufacturing. The attackers demonstrated an increasing level of sophistication across the years, they used custom-malware and various exploits in their attacks.
Experts discovered that since December 2016, the APT15 group has been using the previously undocumented backdoor dubbed Okrum. The
“Second, we identified a previously undocumented malware family with strong links
The hackers leverage the
The Okrum backdoor supports several commands to implement several abilities, such as download/upload files, execute binaries, run shell commands, update
Experts noticed that the
Experts noticed that organizations infected with
“In late 2016, we identified a previously unknown backdoor that we named Okrum. We discovered that the
ESET has not been able to discover the initial attack vector and the dropper of the malware, anyway the experts have identified the following components used in the
The Okrum backdoor is not very complex, this implies that most of the malicious activity must be performed by manually typing shell commands, or by executing other available tools.
ESET also reported that the APT15 has been
Attackers also noticed that systems infected with the above two families were also targeted with the RoyalDNS malware that uses DNS to communicate with the C&C server. Once executed the command the backdoor returns output through DNS.
In 2018, the APT15 group used new Ketrican samples that implemented the ability to load DLLs and adopted the XOR cipher for encryption.
“Finally, the 2018 Ketrican
Researchers also observed other two new Ketrican samples in 2019 that present many
“The Ke3chang APT group (a.k.a. APT15) has rightfully been on the radar of security researchers because of its decade-long operation, targeting high-value victims such as diplomatic entities, and other geopolitical aspects associated with them.” concludes ESET. “While ESET does not engage in attribution of these activities to a particular nation-state, we do attempt attribution of individual malware-driven