ESET researchers have discovered new versions of malware families linked to the elusive Ke3chang group, along with a previously unreported backdoor. ESET has been tracking the APT group, which is believed to be operating out of China, for several years.
The newly discovered backdoor, named Okrum by ESET, was first detected in late 2016 and throughout 2017. It was used to target diplomatic missions and governmental institutions in Belgium, Slovakia, Brazil, Chile and Guatemala. Furthermore, since 2015, ESET has continued to detect new versions of known malware families attributed to the Ke3chang group.
In research going back to 2015, ESET identified new suspicious activities in European countries. The group behind the attacks seemed to have particular interest in Slovakia, but Croatia, the Czech Republic and other countries were also affected. Analyzing the malware used in these attacks, ESET researchers found that it was linked to known malware families attributed to the Ke3chang group, and dubbed these new versions Ketrican.
In late 2016, the researchers discovered a new, previously unknown backdoor, which aimed for the same targets in Slovakia that were previously targeted by the Ketrican backdoors in 2015. The backdoor, which they dubbed Okrum, continued to be active throughout 2017.
Zuzana Hromcova from ESET said that they started connecting the dots when they discovered that the Okrum backdoor was used to drop a Ketrican backdoor, compiled in 2017. On top of that, they found that some diplomatic entities that were affected by the Okrum malware and the 2015 Ketrican backdoors were also affected by 2017 Ketrican backdoors. The group remains active in 2019 – in March, they detected a new Ketrican sample, they remarked on the most recent activities of the notoriously elusive group.
The ESET investigation provides evidence attributing the newly discovered backdoor to the Ke3chang group. Besides the shared targets, Okrum has a similar modus operandi as previously documented Ke3chang malware. For example, Okrum is only equipped with basic backdoor commands and relies on manually typing shell commands and executing external tools for most of its malicious activity, which is a standard modus operandi of the Ke3chang group across its previously investigated campaigns.
Despite the malware not being technically complex, we can certainly see that the malicious actors behind Okrum were trying to remain undetected. We have recorded several detection evasion techniques in the Okrum malware.
The payload itself is hidden in a PNG file. When the file is viewed in an image viewer, an innocuous-looking PNG image is displayed, but the Okrum loaders are able to locate an extra encrypted file that the user cannot see.
Also, the operators of the malware tried to hide malicious traffic with its Command & Control server within regular network traffic by registering seemingly legitimate domain names. “For example, the samples used against Slovak targets communicated with a domain name mimicking a Slovak map portal,” says Hromcova.
Additionally, every few months, the authors actively changed implementation of the Okrum loader and installer components to avoid detection. At the time of publication, ESET systems had detected seven different versions of the loader component and two versions of the installer, although the functionality remained the same.