New Malware Confirms User Activity Before Exploiting Backdoor To Conduct Cyber-Espionage

Cybersecurity company ESET has discovered a known and elusive hacking group has been quietly deploying a malware that has some specific targets. The malware exploits a backdoor that has passed under the radar successfully in the past. Moreover, the software conducts some interesting tests to ensure it is targeting an actively used computer. If the malware doesn’t detect activity or isn’t satisfied, it simply shuts down and vanishes to maintain optimum stealth and evade possible detection. The new malware is looking for important personalities within the state government machinery. Simply put, the malware is going after diplomats and government departments around the world

The Ke3chang advanced persistent threat group appears to have resurfaced with a new focused hacking campaign. The group has been successfully launching and managing cyber-espionage campaigns since at least 2010. The group’s activities and exploits are quite efficient. Combined with the intended targets, it appears the group is being sponsored by a nation. The latest strain of malware deployed by the Ke3chang group is quite sophisticated. Previously deployed remote access trojans and other malware were well designed as well. However, the new malware goes beyond blind or mass infection of the targeted machines. Instead, its behavior is quite logical. The malware attempts to confirm and authenticate the identity of the target and the machine.

Cybersecurity Researchers At ESET Identify New Attacks By Ke3chang:

The Ke3chang advanced persistent threat group, active since at least 2010, is also identified as APT 15. The popular Slovakian antivirus, firewall and other cybersecurity company ESET have identified confirmed traces and evidence of the group’s activities. ESET researchers claim the Ke3chang group is using its tried and trusted techniques. However, the malware has been significantly updated. Moreover, this time around, the group is attempting to exploit a new backdoor. The previously undiscovered and unreported backdoor is tentatively dubbed Okrum.

ESET researchers further indicated that their internal analysis indicates the group is going after diplomatic bodies and other government institutions. Incidentally, the Ke3chang group has been exceptionally active in conducting sophisticated, targeted and persistent cyber-espionage campaigns. Traditionally, the group went after government officials and important personalities that worked with the government. Their activities have been observed in countries across Europe and Central and South America.

ESET’s interest and focus continue to remain on the Ke3chang group because the group has been quite active in the company’s home country, Slovakia. However, other popular targets of the group are Belgium, Croatia, the Czech Republic in Europe. The group is known to have targeted Brazil, Chile, and Guatemala in South America. The Ke3chang group’s activities indicate it could be a state-sponsored hacking group with powerful hardware and other software tools that aren’t available to common or individual hackers. Hence the latest attacks too could be part of a long term sustained campaign to gather intelligence, noted Zuzana Hromcova, a researcher at ESET, “The attacker’s main goal is most likely cyber espionage, that’s why they selected these targets.”

How Does The Ketrican Malware And Okrum Backdoor Work?

The Ketrican malware and Okrum backdoor are quite sophisticated. Security researchers are still investigating how the backdoor was installed or dropped on the targeted machines. While the distribution of the Okrum backdoor continues to remain a mystery, its operation is even more fascinating. The Okrum backdoor conducts some software tests to confirm it is not running in a sandbox, which is essentially a secure virtual space that security researchers use to observe the behavior of malicious software. If the loader doesn’t get reliable results, it simply terminates itself to avoid detection and further analysis.

The Okrum backdoor’s method of confirming it is running in a computer working in the real-world, is quite interesting as well. The loader or backdoor activates the pathway to receive the actual payload after the left mouse button has been clicked at least three times. Researchers believe this confirmatory test is performed primarily to ensure the backdoor is operating on real, functioning machines and not virtual machines or sandbox.

Once the loader is satisfied, the Okrum backdoor first grants itself full administrator privileges and collects information about the infected machine. It tabulates information like computer name, username, host IP address and what operating system is installed. Thereafter it calls for additional tools. The new Ketrican malware too is quite sophisticated and packs multiple functionalities. It even has an inbuilt downloader as well as an uploader. The uploading engine is used to stealthily export files. The downloader tool within the malware can call for updates and even execute complex shell commands to penetrate deep within the host machine.

ESET researchers had earlier observed the Okrum backdoor could even deploy additional tools like Mimikatz. This tool is essentially a stealth keylogger. It can observe and record keystrokes, and attempt to steal login credentials to other platforms or websites.

Incidentally, researchers have noticed several similarities in the commands the Okrum backdoor and the Ketrican malware use to bypass security, grant elevated privileges, and conduct other illicit activities. The unmistakable resemblance between the two has led the researchers to believe the two are closely related. If that’s not a strong enough association, both the software had been targeting the same victims, noted Hromcova, “We started connecting the dots when we discovered that the Okrum backdoor was used to drop a Ketrican backdoor, compiled in 2017. On top of that, we found that some diplomatic entities that were affected by the Okrum malware and the 2015 Ketrican backdoors were also affected by 2017 Ketrican backdoors. ”

The two related pieces of malicious software that are years apart, and the persistent activities by the Ke3chang advanced persistent threat group indicate the group has remained loyal to cyber espionage. ESET is confident, the group has been improving its tactics and the nature of the attacks has been growing in sophistication and efficacy. The cybersecurity group has been chronicling the group’s exploits for a long time and has been maintaining a detailed analysis report.

Quite recently we reported about how a hacking group had abandoned its other illegal online activities and started focusing on cyber espionage. It is quite likely that hacking groups could be finding better prospects and rewards in this activity. With state-sponsored attacks on the rise, rogue governments could also be secretly supporting the groups and offering them a pardon in exchange of valuable state secrets.


Close