Updated versions of malware families and a new backdoor dubbed Okrum linked to the Ke3chang APT group is being used to target political figures in Eastern Europe and the Americas. The Ke3chang group, also known as Vixen Panda, Royal APT, Playful Dragon or APT15, has been present on the threat landscape since at least 2010 conducting cyber-espionage campaigns against entities from the oil industry and military, government contractors, as well as European diplomatic missions and organizations.
Researchers from ESET, who have been tracking the the malicious activities related to Ke3chang for several years, have released a detailed report describing the malware used by this treat actor in its operations between 2015 and 2019. In one of the campaigns active 2012 to 2015 the group leveraged a RAT-like malware dubbed TidePool which allowed it to collect info on its targets by exploiting the CVE-2015-2545 Microsoft Office vulnerability. From 2016 to 2017 Ke3chang employed the RoyalCLI and RoyalDNS backdoors as part of campaigns targeting the UK government, attempting to steal military tech and governmental info.
In 2016 the researchers discovered previously unknown backdoor which they named Okrum that was used in attacks on targets in Slovakia. The malware had been seen in number of Ke3chang’s campaigns throughout 2017-2018 and had been used for delivering different versions of Ketrican backdoors. Now there is new evidence that the group updated its tactics in a series of attacks targeting diplomats in Belgium, Brazil, Chile, Guatemala, and Slovakia.
The Okrum backdoor is a dynamic-link library that is installed and loaded by two earlier-stage components that threat actor frequently changes in order to avoid detection. Okrum’ functionality includes only basic backdoor commands, such as downloading and uploading files, executing files and shell commands. Most of the malicious activity has to be performed by typing shell commands manually, or by executing other tools and software – a common practice of the Ke3chang group, which had also been pointed out previously in the Intezer and NCC Group reports monitoring Ke3chang group activity.
Additionally, the researchers have found updated versions of the Ketrican backdoor with some code improvements that were used during 2018 and 2019, targeting the same type of organizations as in previous campaigns. The Okrum and the Ketrican hacking tools allow Ke3chang to intercept information about victims, including their username, IP address, operating system and build number, their language and country name, and other communication.
“Just like other known Ke3chang malware, Okrum is not technically complex, but we can certainly see that the malicious actors behind it were trying to remain undetected by using tactics such as embedding the malicious payload within a legitimate PNG image, employing several anti-emulation and anti-sandbox tricks, as well as making frequent changes in implementation. As for the analyzed Ketrican samples, these show visible evolution and code improvements from 2015 to 2019,” concluded the researchers adding that at the moment it is unclear, how the group delivers the malware to its targets.
More detailed analysis and indicators of compromise (IOCs) can be found in ESET’s whitepaper named “Okrum and Ketrican: An overview of recent Ke3chang group activity”.