The notorious Ke3chang hacking group which has haunted the military and government of various countries in this technologically advanced generation has now updated the malignant tools in their arsenal by combining the source code and features from their older Okrum and Ketrican backdoors.
A nefarious group which has been active since 2010, was first reported only in 2012 when they used a Remote Access Trojan (RAT) known as Mirage to attack different high-profile targets around the world. From 2012 to 2015, the attackers resurfaced with a malware named TidePool and later in 2016 – 2017, with RoyalCLI and RoyalDNS Backdoors that haunted the government of the United Kingdom. From 2018, the Ke3Chang group was spotted using an updated version of the malware Mirage RAT, known as MirageFox.
The cyberespionage group has also been tracked with names like APT15, Vixen Panda, Playful Dragon, and Royal APT.
New Face with old features
Recent reports have mentioned the discovery of three Ketrum backdoor samples and have associated them with the Ke3chang group after noticing that it has reused both features and codes from the Ketrican and Okrum backdoor features from Ke3chan.
The analyzed Ketrum samples show that the cyberespionage group hasn’t deviated much from their previous methods and has retained their documented tactics, techniques, and procedures (TTPs).
The new backdoor also exhibits the same old features by which treat actors can take control of a targeted device, connect it from a remote server and then manually execute the other steps of the operation.
Furthermore, It was found that the malware connected to an Asia based command and control (C2) server that terminated its operations after the samples were found.
The feature comparisons between the older and the newer versions of the back doors are mentioned below.-
| Backdoor Capabilities | Ketrican | Okrum | Ketrum1 | Ketrum2 |
| Identify installed proxy servers and use them for HTTP requests | No | Yes | Yes | Yes |
| Special folder retrieval using registry key [HKEY_CURRENT_USER\Software\MicroSoft\Windows\Current VersionExplorer\Shell Folder] | Yes | No | Yes | Yes |
| The response from the server is an HTTP page with backdoor commands and arguments included in the HTML fields | Yes | No | No | Yes |
| Backdoor commands are determined by hashing value received from C2 | No | Yes | No | No |
| Communicate with the C&C server is hidden in the Cookie and Set-Cookie headers of the HTTP Requests | No | Yes | Yes | No |
| Impersonate a logged-in users security context | No | Yes | Yes | No |
| Create a copy of the cmd.exe in their working directory and use it to interpret backdoor commands | Yes | No | Yes | No |
| Usual Ke3chang backdoor functionalities -download, upload, execute files/shell commands and configure sleep time | Yes | Yes | Yes | Yes |
| Screenshot grabbing functionality | No | No | Yes | No |
Minimalism of the Malware
The samples that were found resemble a similar layout to the earlier Ke3chang tools, other than the low-level implementation of and the use of API’s that are used to achieve the same functionality.
The first Ketrum sample which came with a fake timestamp displays all the features that were available in the older backdoors while the Ketrum 2 variant dropped a lot of the old features and persisted with the most common Ke3chang backdoor functionalities.
With the new Ketrum 2 variant, the threat actors can download, upload, and execute files/shell commands while also being capable of configuring the sleep time of the infected device. However, they are no longer capable of taking screenshots.
The group of threat actors has continued to morph their code and switch a few basic features in different variants of their backdoors. This strategy has been working for them since the start of their malicious operations and they show no sign of deviating from their modus operandi.
Our experts have deemed this age as a golden age for cyber espionage due to the pervasiveness of malware focused on stealing highly sensitive information providing backdoor capabilities.
To read more, please check eScan Blog
