Security researchers at ESET reported that China-linked threat actor APT15 (aka Ke3chang, Mirage, Vixen Panda, Royal APT and Playful Dragon) has been using a previously undocumented backdoor for more than two years. APT15 has been active since at least 2010, it conducted cyber espionage campaigns against targets worldwide in several industries, including the defense, high tech, energy, government, aerospace, and manufacturing. The attackers demonstrated an increasing level of sophistication across the years, they used custom-malware and various exploits in their attacks.
Experts discovered that since December 2016, the APT15 group has been using the previously undocumented backdoor dubbed Okrum. The
“Second, we identified a previously undocumented malware family with strong links
The hackers leverage the
The Okrum backdoor supports several commands to implement several abilities, such as download/upload files, execute binaries, run shell commands, update
Experts noticed that the
Experts noticed that organizations infected with
“In late 2016, we identified a previously unknown backdoor that we named Okrum. We discovered that the
ESET has not been able to discover the initial attack vector and the dropper of the malware, anyway the experts have identified the following components used in the
The Okrum backdoor is not very complex, this implies that most of the malicious activity must be performed by manually typing shell commands, or by executing other available tools.
ESET also reported that the APT15 has been
Attackers also noticed that systems infected with the above two families were also targeted with the RoyalDNS malware that uses DNS to communicate with the C&C server. Once executed the command the backdoor returns output through DNS.
In 2018, the APT15 group used new Ketrican samples that implemented the ability to load DLLs and adopted the XOR cipher for encryption.
“Finally, the 2018 Ketrican
Researchers also observed other two new Ketrican samples in 2019 that present many
“The Ke3chang APT group (a.k.a. APT15) has rightfully been on the radar of security researchers because of its decade-long operation, targeting high-value victims such as diplomatic entities, and other geopolitical aspects associated with them.” concludes ESET. “While ESET does not engage in attribution of these activities to a particular nation-state, we do attempt attribution of individual malware-driven
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.