Ke3chang APT Spies on Diplomats Using Okrum Malware

Delaware, USA – July 19, 2019 – The Chinese APT group with a nearly ten-year history of attacks added the Okrum backdoor to its arsenal, which is quite different in functionality from the rest of the group’s tools. ESET researchers track the activity of the Ke3chang group (aka APT15, Vixen Panda, Royal APT, and Playful Dragon) and in a recently published report analyzed the malware used by the group since 2015. Okrum was first used at the end of 2016 in a campaign targeted at diplomatic missions in Europe as well as in South and Central Americas. Attackers leveraged it to deliver next-stage malware and tools for further action, including Ketrican backdoor, RoyalDNS malware, and Mimikatz tool. Okrum supports basic commands for downloading and uploading files, executing binaries or running shell commands. After dropping into the system, the malware analyzes the environment and waits until the user makes 3 mouse clicks before taking action, which considerably complicates its detection and analysis. After starting the actions, it gets admin access using API ImpersonateLoggedOnUser, collects information about the system and network, and sends it to the command-and-control server to register the infected system in the attackers’ database. It is noteworthy that the backdoor also registers the name of the active campaign, which allows the APT group to conduct several campaigns simultaneously using one infrastructure.

The researchers assume that Ke3chang APT used the Okrum backdoor to execute complicated commands manually, as they did in other attacks. Even though this backdoor has not been found in the recent campaigns of the group, it is worth remembering that many hacker groups linked to the Chinese government share not only infrastructure but also their tools and source code. You can explore the techniques used by the group during cyberespionage campaigns in MITRE ATT&CK section: