This data-stealing malware waits for you to click a mouse button three times before going into action

Cyber-espionage campaign is thought to be the work of Ke3chang, an ATP hacking group that has been active for ten years.
Written by Danny Palmer, Senior Writer

An elusive hacking operation is using a previously unreported backdoor in a malware campaign targeting diplomats and government departments around the world.

China tightens military control in fresh censorship wave

The Ke3chang advanced persistent threat group is thought to operate out of China and has conducted cyber-espionage campaigns using remote access trojans and other malware since at least 2010.

Now cybersecurity researchers at ESET have identified new attacks by Ke3chang – also known as APT 15 – which use an updated version of their Ketrican malware, alongside a new backdoor that has been dubbed Okrum.

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

The attackers have targeted diplomatic bodies and other government institutions in countries across Europe and Central and South America. Slovakia appears to be a key region of interest for Ke3chang, but campaigns have also targeted Belgium, Croatia, Czech Republic in Europe, as well as Brazil, Chile and Guatemala in the Americas.

Previous activity by the group indicates that the goal of this latest round of attacks is likely to be spying on behalf of Beijing.

"The attacker's main goal is most likely cyber espionage, that's why they selected these targets," Zuzana Hromcova, researcher at ESET told ZDNet.

It's still not known how Okrum is distributed to targets, but the loader is dropped onto a machine before checking it isn't running in a sandbox – if it is, it terminates itself in an effort to avoid detection and analysis by researchers.

The payload only begins operating after the left mouse button has been clicked at least three times – likely to be another tactic to ensure it is only being installed on real, functioning machines.

Once fully deployed, Okrum can provide itself will full administrator privileges and collects information about the infected machine, such as computer name, username, host IP address and what operating system is installed.

The malware is also capable of issuing commands like downloading and uploading files – a useful tool for stealthily stealing files, as well as executing shell commands and issuing updates. Researchers have also spotted Okrum deploying additional tools like Mimikatz which can act as as a keylogger and password stealer.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)       

The investigation found that Okrum shared many of the same commands as Ketrican, as well as strong similarities in the code of the two forms of malware. Researchers also found that the same victims were being targeted by both forms of malware, suggesting a strong link – even though some of the attacks were years apart.

"We started connecting the dots when we discovered that the Okrum backdoor was used to drop a Ketrican backdoor, compiled in 2017," said Hromcova

"On top of that, we found that some diplomatic entities that were affected by the Okrum malware and the 2015 Ketrican backdoors were also affected by 2017 Ketrican backdoors," she added.

With the campaign having been active for almost a whole decade and still evolving its tactics and attacks, it's highly likely that Ke3chang will continue to remain active and conduct further attacks against geopolitical targets.

ESET has listed all of the known Indicators of Compromise related to the campaigns in its full analysis of Ke3chang activity.


Editorial standards