Show vulnerabilities with patch / with exploit
28 May 2020

Ke3chang hacking group updates its malware arsenal with new Ketrum backdoor


Ke3chang hacking group updates its malware arsenal with new Ketrum backdoor

The Ke3chang threat group believed to be working on behalf of the Chinese government has refreshed its hacking toolset with new malware dubbed Ketrum, which borrows parts of the source code and features from the group’s older Ketrican and Okrum implants.

The Ke3chang crew (aka APT15, Vixen Panda, Playful Dragon, and Royal APT) has been active since at least 2010 and is known for their attacks against various high-profile entities spanning multiple continents, with European ministries, Indian embassies, and British military contractors among the victims.

In a recent report describing the inner workings of the Ketrum malware Intezer researchers said they discovered three samples uploaded to VirusTotal that share code with older APT15 implants. The new malware has been dubbed “Ketrum” due to the merger of features in the documented backdoor families “Ketrican” and “Okrum”.

The Ketrum samples analyzed by researchers showed that Ke3chang is continuing its strategy of using basic backdoors that allow them to take over target device, connect to it from a remote server, and manually perform further operations.

“Both Ketrum samples resemble a similar layout to previous Ke3chang tools, apart from low-level implementation and use of system APIs. Even in the two Ketrum samples, there are differences between the low-level APIs used to achieve the same functionality,” the report said.

The three samples communicated with the same command and control server and have been used in two different time periods. The C&C server was shut down during mid-May after the Ketrum samples were discovered.

The Ketrum 1 sample was uploaded to VirusTotal in December 2019 and came with a fake January 7, 2010, timestamp. The sample incorporates most of the features available in Ketrican and Okrum backdoors. However, the Ketrum 2 sample appears to be built for minimalism and has only basic backdoor functionality.

“Unlike the Ketrican variant, Ketrum implants no longer try to weaken the system’s security configurations. In previous implants, Powershell was used for this end,” according to the report.

“Ke3chang’s numerous tools such as Okrum, Ketrican, TidePool, Mirage, Ketrum, and others all serve the same purpose, give or take a few techniques or functionalities tailored for specific targets. The group continues to morph its code and switch basic functionalities in their various backdoors. This strategy has been working for the group for years and there is no indication yet that it will deviate from this modus operandi,” the researchers concluded.

Back to the list

Latest Posts

Weekly security roundup: July 13, 2020

Weekly security roundup: July 13, 2020

A short overview of last week's top stories in the world of cyber security.
13 July 2020
Hackers are attempting to exploit recent Citrix vulnerabilities

Hackers are attempting to exploit recent Citrix vulnerabilities

Citrix downplayed the impact of the vulnerabilities and said they are less likely to be exploited compared to CVE-2019-19781.
13 July 2020
Zoom patches critical bug affecting Zoom client for Windows

Zoom patches critical bug affecting Zoom client for Windows

The company has also released a planned update for Phone and Web users, which brings AES-256 bit encryption.
13 July 2020