'Member Ke3chang? They're still at it, you know. Euro diplomats targeted by 'China-based' hacker crew

An old-school shadowy malware group believed to operate out of China has been targeting diplomats with what infosec researchers say is a previously undocumented backdoor.

The Ke3chang group, which has been active for a number of years, has long been observed to target diplomats and diplomatic gatherings. As we reported back in 2013, it is thought to have first targeted a G20 finance ministers' meeting in 2011.

Nonetheless, the group is relatively elusive. Researchers from ESET spotted malware being deployed in European countries including Slovakia, Croatia, the Czech Republic and others – and in late 2016 came across a backdoor enabled by malware which it dubbed Okrum.

Analysing the malware used in these attacks, ESET researchers found that it was linked to malware previously attributed to Ke3chang, and dubbed these new versions Ketrican. They saw that Okrum was being used to drop a Ketrican backdoor.

"We started connecting the dots when we discovered that the Okrum backdoor was used to drop a Ketrican backdoor, compiled in 2017. On top of that, we found that some diplomatic entities that were affected by the Okrum malware and the 2015 Ketrican backdoors were also affected by 2017 Ketrican backdoors," said Zuzana Hromcova, the ESET researcher who uncovered them.

"Besides the shared targets, Okrum has a similar modus operandi as previously documented Ke3chang malware. For example, Okrum is only equipped with basic backdoor commands and relies on manually typing shell commands and executing external tools for most of its malicious activity, which is a standard modus operandi of the Ke3chang group across its previously investigated campaigns," said ESET in a statement.

The threat intel firm added that it had seen "detection evasion techniques" in the Okrum malware, which it said was still being used as recently as March this year.

It added (PDF) that the "payload starts only after the left (physical) mouse button has been pressed at least three times"...

A few years ago Ke3chang was spotted by Palo Alto Networks' infosec bods as it used a Word vulnerability to target Indian embassies around the world. India shares a substantial land border with China, though the two powers enjoy largely peaceful relations.

The international element of malware campaigns is an ever-expanding component of international relations. China, Russia, Iran, North Korea and other countries all have highly specialised state-backed hacker crews whose brief is to target lucrative or politically useful targets. Ke3chang is just one of those. ®