The Ke3chang threat group believed to be working on behalf of the Chinese government has refreshed its hacking toolset with new malware dubbed Ketrum, which borrows parts of the source code and features from the group’s older Ketrican and Okrum implants.
The Ke3chang crew (aka APT15, Vixen Panda, Playful Dragon, and Royal APT) has been active since at least 2010 and is known for their attacks against various high-profile entities spanning multiple continents, with European ministries, Indian embassies, and British military contractors among the victims.
In a recent report describing the inner workings of the Ketrum malware Intezer researchers said they discovered three samples uploaded to VirusTotal that share code with older APT15 implants. The new malware has been dubbed “Ketrum” due to the merger of features in the documented backdoor families “Ketrican” and “Okrum”.
The Ketrum samples analyzed by researchers showed that Ke3chang is continuing its strategy of using basic backdoors that allow them to take over target device, connect to it from a remote server, and manually perform further operations.
“Both Ketrum samples resemble a similar layout to previous Ke3chang tools, apart from low-level implementation and use of system APIs. Even in the two Ketrum samples, there are differences between the low-level APIs used to achieve the same functionality,” the report said.
The three samples communicated with the same command and control server and have been used in two different time periods. The C&C server was shut down during mid-May after the Ketrum samples were discovered.
The Ketrum 1 sample was uploaded to VirusTotal in December 2019 and came with a fake January 7, 2010, timestamp. The sample incorporates most of the features available in Ketrican and Okrum backdoors. However, the Ketrum 2 sample appears to be built for minimalism and has only basic backdoor functionality.
“Unlike the Ketrican variant, Ketrum implants no longer try to weaken the system’s security configurations. In previous implants, Powershell was used for this end,” according to the report.
“Ke3chang’s numerous tools such as Okrum, Ketrican, TidePool, Mirage, Ketrum, and others all serve the same purpose, give or take a few techniques or functionalities tailored for specific targets. The group continues to morph its code and switch basic functionalities in their various backdoors. This strategy has been working for the group for years and there is no indication yet that it will deviate from this modus operandi,” the researchers concluded.