Ke3chang APT Linked to Previously Undocumented Backdoor

[silversurfer]

The Ke3chang cyberespionage group, a.k.a. APT15, Mirage, Playful Dragon or Vixen Panda, has been tied to a backdoor called Okrum that has been used to target diplomatic missions throughout Europe and Latin America. The attribution widens the scope of known Ke3chang activity, an APT believed to be operating from China.

Ke3change first appeared in 2010, making a name for itself by developing simple but custom malware like the BS2005/Ketrican backdoors and the RoyalDNS malware and deploying it in what was dubbed “Operation Ke3chang.” Almost 10 years later, the group continues to be active according to ESET, using revamped versions of BS2005/Ketrican.
 
In 2015, Ke3chang made a splash by continuing its previous Operation Ke3chang attacks that centered around Slovakia, using the BS2005/Ketrican backdoor family.

The following year, ESET discovered Okrum, focused on the same type of targets: Diplomatic missions in Slovakia, Belgium, Chile, Guatemala and Brazil, with the attackers showing a particular interest in Slovakia. The attackers were also seen using a related TidePool malware family discovered by Palo Alto Networks that targeted Indian embassies across the globe.

The Okrum activity continued through 2017 and the ESET team has been able to tie it back to Ke3chang, with Okrum observed acting as a first-stage malware that then fetched Ketrican samples to install on a compromised machine.

“Our research has shown that the Ketrican, Okrum and RoyalDNS backdoors detected by ESET after 2015 are linked to previously documented Ke3chang group activity, and to each other, in a number of ways,” said ESET researcher Zuzana Hromcová, in an analysis[PDF] posted on Thursday. “[Since then], Ketrican backdoors from 2015, 2017, 2018 and 2019 have all evolved from malware used in Operation Ke3chang.”

SOURCE: https://threatpost.com/ke3chang-apt-undo...or/146537/