skip to Main Content

Cyber Espionage, Ke3chang exploit a new tool: Ketrum

Intezer: Ke3chang cyber espionage group has created Ketrum, a malware that merges the features from Ketrican and Okrum

It has been dubbed Ketrum and is a new malware created by the cyber espionage Ke3chang group. It has been discovered by Intezer cyber security experts. The malicious code merges the features from the Ketrican and Okrum backdoors. The Chinese state sponsored hackers (aka APT15, Vixen Panda, Playful Dragon, and Royal APT) target a wide range of military and oil industry entities, as well as government contractors and European diplomatic missions and organizations. The aim is to steal technology and sensitive information. The samples the researchers found continue the APT’s strategy of using a basic backdoor to gain control over the victim’s device, so that an operator can then connect to it and run commands manually to conduct further operations. Moreover, they use the same C2 server registered in China.

The cyber security experts: The APT continues to morph its code and switch basic functionalities in the various backdoors

According the cyber security experts, Ke3chang’s numerous tools such as Okrum, Ketrican, TidePool, Mirage, Ketrum, and others all serve the same purpose, give or take a few techniques or functionalities tailored for specific targets. These codes can be regarded under the same umbrella of BS2005 malware, distributed as different versions per operation. However, the distinction created by naming them differently is useful for tracking the group’s cyber espionage operations and different development cycles. Moreover, the APT tools have not deviated much from the same tools reported in FireEye’s first report. The group continues to morph its code and switch basic functionalities in their various backdoors. This strategy has been working for years and there is no indication yet that it will deviate from this modus operandi.

Back To Top