skip to Main Content

Ke3chang targets diplomatic missions in Europe-Latin America with Okrum

Ke3chang Targets Diplomatic Missions In Europe-Latin America With Okrum

ESET: Ke3chang cyber espionage group is targeting diplomatic missions in Europe and Latin America via a backdoor called Okrum

Ke3chang cyber espionage group is targeting diplomatic missions in Europe and Latin America via a backdoor called Okrum. It has been discovered by ESET cyber security experts. The malware was first detected in December 2016, and targeted diplomatic missions in Slovakia, Belgium, Chile, Guatemala and Brazil throughout 2017. The malicious hackers (aka APT15, Mirage, Playful Dragon and Vixen Panda) first appeared in 2010, making a name for itself by developing simple but custom malware like the BS2005/Ketrican backdoors and the RoyalDNS malware and deploying it in what was dubbed “Operation Ke3chang.” Almost 10 years later, the group continues to be active, using revamped versions of BS2005/Ketrican.

The cyber security experts: the threat actors tried to hide malicious traffic with its C&C server within regular network traffic by registering seemingly legitimate domain names

According to the cyber security experts, Ke3chang tried to hide malicious traffic with its C&C server within regular network traffic by registering seemingly legitimate domain names. For example, the samples used against Slovak targets communicated with a domain name mimicking a Slovak map portal (support.slovakmaps[.]com). A similar masquerade was used in a sample detected in a Spanish speaking country in South America – the Okrum operators used a domain name that translates as “missions support” in Spanish (misiones.soportesisco[.]com). How the malware was distributed to the targeted machines is a question that remains to be answered.

The cyber espionage APT’s malware is is a dynamic-link library that is installed and loaded by two earlier-stage components. Every few months, the authors actively changed implementation of the Okrum loader and installer components to avoid detection

The Okrum backdoor is a dynamic-link library that is installed and loaded by two earlier-stage components. During ESET investigation, the implementation of these two components was being changed frequently. Every few months, the authors actively changed implementation of the Okrum loader and installer components to avoid detection. By the time of publication, cyber security experts have detected seven different versions of the loader component and two versions of the installer, although the functionality remained the same. The payload of the malware is hidden in a PNG file. When the file is viewed in an image viewer, a familiar image is displayed, but the Okrum loaders are able to locate an extra encrypted file that the user cannot see. This steganography technique is an attempt to stay unnoticed and evade detection. Moreover, the group continues to be active and works on improving its code over time.

Back To Top