Hacking group builds new Ketrum malware from recycled backdoors

The Ke3chang hacking group historically believed to be operating out of China has developed new malware dubbed Ketrum by merging features and source code from their older Ketrican and Okrum backdoors.

The cyber-espionage activities of the Ke3chang advanced persistent threat (APT) group (also tracked as APT15, Vixen Panda, Playful Dragon, and Royal APT) go as far as 2010 according to FireEye researchers.

Ke3chang's operations target a wide range of military and oil industry entities, as well as government contractors and European diplomatic missions and organizations.

New malware with old features

A new report from Intezer researchers shows how they discovered three Ketrum backdoor samples this month on the VirusTotal platform and associated them with the Chinese cyberspies after noticing that it reused both code and features from Ke3chang's Ketrican and Okrum backdoors.

The Ketrum samples they analyzed showed that the hacking group hasn't deviated from their previous documented Tactics, Techniques, and Procedures (TTPs).

The new backdoor still follows the same principle of providing a basic backdoor that can be used by Ke3chang operators to take control of a targeted device, connect to it from a remote server, and manually go through the other steps of the operation.

As they further found, the malware connected to a Chinese-based command and control (C2) server that ceased operating during mid-May after the Ketrum samples were spotted.

A feature comparison between the older Ketrican and Okrum backdoors and the new Ketrum backdoor samples is embedded below.

Malware minimalism

"Both Ketrum samples resemble a similar layout to previous Ke3chang tools, apart from low-level implementation and use of system APIs," Intezer explained. "Even in the two Ketrum samples, there are differences between the low-level APIs used to achieve the same functionality."

While the Ketrum 1 sample that came with a faked January 7, 2010, timestamp shows that the hacking group implemented most of the features available in the two older backdoors, the newer Ketrum 2 variant drops most of the fluff and kept the most common Ke3chang backdoor functionalities.

When using the minimalist Ketrum 2 backdoor during one of their attacks, the operators can download, upload, and execute files/shell commands, as well as configure sleep time for compromised devices, but they no longer can take screen snapshots.

"The group continues to morph its code and switch basic functionalities in their various backdoors," Intezer concludes. "This strategy has been working for the group for years and there is no indication yet that it will deviate from this modus operandi."

ESET researchers were the ones who spotted the group's Ketrican and Okrum backdoors in 2015 and 2016, respectively, while investigating attacks against several diplomatic missions around the globe.

Between 2012 and 2015 Ke3chang used the TidePool RAT-like malware to collect info after exploiting the CVE-2015-2545 Microsoft Office security flaw, while from 2016 to 2017 the group deployed the RoyalCLI and RoyalDNS backdoors in attacks targeting the UK government, attempting to steal military tech and governmental info.

In 2018, Ke3chang started using another implant, a variant of the Mirage Remote Access Trojan (RAT) dubbed MirageFox.

Indicators of compromised (IOCs) and additional details regarding the new Ketrum umbrella of malware can be found within Intezer's report.

Comments are closed.