Ke3chang group targets diplomatic organizations in Europe

guest · Jul 24, 2019

This data-stealing malware waits for you to click a mouse button three times before going into action
Cyber-espionage campaign is thought to be the work of Ke3chang, an ATP hacking group which has been active for ten years
July 18, 2019
https://www.zdnet.com/article/this-...-button-three-times-before-going-into-action/

The Ke3chang advanced persistent threat group is thought to operate out of China and has conducted cyber-espionage campaigns using remote access trojans and other malware since at least 2010.
Now cybersecurity researchers at ESET have identified new attacks by Ke3chang - also known as APT15 -which use an updated version of their Ketrican malware, alongside a new backdoor which has been dubbed Okrum.

It's still not known how Okrum is distributed to targets, but the loader is dropped onto a machine before checking it isn't running in a sandbox – if it is, it terminates itself in an effort to avoid detection and analysis by researchers.
The payload only begins operating after the left mouse button has been clicked at least three times – likely to be another tactic to ensure it is only being installed on real, functioning machines.

With the campaign having been active for almost a whole decade and still evolving its tactics and attacks, it's highly likely that Ke3chang will continue to remain active and conduct further attacks against geopolitical targets.
Click to expand...

ESET: Okrum: Ke3chang group targets diplomatic missions
(PDF - 980 KB): https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf

guest · May 26, 2020

Hacking group builds new Ketrum malware from recycled backdoors
May 26, 2020
https://www.bleepingcomputer.com/ne...s-new-ketrum-malware-from-recycled-backdoors/

The Ke3chang hacking group historically believed to be operating out of China has developed new malware dubbed Ketrum by merging features and source code from their older Ketrican and Okrum backdoors.

The cyber-espionage activities of the Ke3chang advanced persistent threat (APT) group (also tracked as APT15, Vixen Panda, Playful Dragon, and Royal APT) go as far as 2010 according to FireEye researchers.
Ke3chang's operations target a wide range of military and oil industry entities, as well as government contractors and European diplomatic missions and organizations.
Click to expand...

New malware with old features
A new report from Intezer researchers shows how they discovered three Ketrum backdoor samples this month on the VirusTotal platform and associated them with the Chinese cyberspies after noticing that it reused both code and features from Ke3chang's Ketrican and Okrum backdoors.

The new backdoor still follows the same principle of providing a basic backdoor that can be used by Ke3chang operators to take control of a targeted device, connect to it from a remote server, and manually go through the other steps of the operation.
Malware minimalism
"Both Ketrum samples resemble a similar layout to previous Ke3chang tools, apart from low-level implementation and use of system APIs," Intezer explained. "Even in the two Ketrum samples, there are differences between the low-level APIs used to achieve the same functionality."

"The group continues to morph its code and switch basic functionalities in their various backdoors," Intezer concludes. "This strategy has been working for the group for years and there is no indication yet that it will deviate from this modus operandi."
Click to expand...

Intezer: The Evolution of APT15’s Codebase 2020

The Ke3chang group, also known as APT15, is an alleged Chinese government-backed cluster of teams known to target various high-profile entities spanning multiple continents. Examples include attacks on European ministries, Indian embassies, and British military contractors.
Click to expand...

guest · Jul 2, 2020

Connection discovered between Chinese hacker group APT15 and defense contractor
July 2, 2020
https://www.zdnet.com/article/conne...se-hacker-group-apt15-and-defense-contractor/

In a report published today, cyber-security firm Lookout said it found evidence connecting Android malware that was used to spy on minorities in China to a large government defense contractor from the city of Xi'an.

"Activity of these surveillance campaigns has been observed as far back as 2013," Lookout researchers said.
The company attributed this secret surveillance to a hacking group they believe operates on behalf of the Chinese government.

Some of the group's past hacking operations have been documented by other cyber-security firms, and the hacking group is already known in industry circles under different codenames, such as APT15, GREF, Ke3chang, Mirage, Vixen Panda, and Playful Dragon.
Click to expand...

The vast majority of past APT15 attacks involved malware designed to infect Windows desktops, but Lookout said the group also developed an arsenal of Android hacking tools.

Hacking tools that were already known include malware strains identified as HenBox, PluginPhantom, Spywaller, and DarthPusher. On top of these, Lookout said it also discovered four new ones, which they codenamed SilkBean, DoubleAgent, CarbonSteal, and GoldenEagle. (see image below for their features)
TIES TO A DEFENSE CONTRACTOR IN CENTRAL CHINA
But Lookout said that during the early stages of its research into APT15's new malware, they found a command-and-control server for the GoldenEagle spyware that was left unprotected.

Lookout said the GPS coordinates plotted around a building hosting the offices of Xi'an Tianhe Defense Technology, a large defense contractor in the city of Xi'an, in central China.
Click to expand...

guest · Jul 23, 2020

mood said: ↑

Connection discovered between Chinese hacker group APT15 and defense contractor July 2, 2020
Click to expand...

Going Down the Spyware Rabbit Hole with SilkBean Mobile Malware
An Android spyware attack was recently discovered that targeted the Uyghur ethnic minority group – since 2013
July 22, 2020
https://threatpost.com/going-down-the-spyware-rabbit-hole-with-silkbean-mobile-malware/157619/

In this in-depth Threatpost podcast Christoph Hebeisen, who leads the Security Intelligence Research Division at Lookout, shares a behind-the-scenes look at how his team discovered and tracked three never-before-seen surveillanceware tools, dubbed SilkBean, GoldenEagle and CarbonSteal.

Hebeisen walks listeners through what these new tools are and how they were used in a seven-year long surveillanceware campaign against the Uyghur ethnic minority group. Also discussed are the threat actor’s methods and procedures and why the mobile landscape is becoming a popular targets for advanced persistent threat actors.
Below find a lightly edited transcript of this podcast.
Click to expand...

guest · Jan 19, 2023

Chinese APT Group Vixen Panda Targets Iranian Government Entities
By Alessandro Mascellino @a_mascellino - January 18, 2023

The Chinese advanced persistent threat (APT) known as Vixen Panda has been linked to a new series of attacks targeting the Iranian government between July and December 2022.
Click to expand...

The claims come from cybersecurity researchers at Palo Alto Networks’ Unit 42, who shared a report about them with Infosecurity via email.

Called "Playful Taurus" by Unit 42, Vixen Panda is also known as APT15, BackdoorDiplomacy, KeChang and NICKEL. The threat actor has been active since at least 2010, often targeting government and diplomatic entities in North and South America, Africa and the Middle East.

“In June 2021, ESET reported that this group had upgraded their tool kit to include a new backdoor called Turian,” wrote Unit 42 in the advisory published earlier today.
“This backdoor remains under active development, and we assess that it is used exclusively by Playful Taurus actors. Following the evolution of this capability, we recently identified new variants of this backdoor as well as new command and control infrastructure.”
Click to expand...

According to Palo Alto Networks, the upgrades to the Turian backdoor and new C2 infrastructure suggest that Vixen Panda continues to see success during its cyber-espionage campaigns.

In the advisory, which is available here, the company has also shared file samples and indicators of compromise (IoC) of the new malicious campaign alongside various protection and mitigation suggestions.
Click to expand...

Palo Alto Networks - Unit42: Chinese Playful Taurus Activity in Iran

January 18, 2023
Playful Taurus, also known as APT15, BackdoorDiplomacy, Vixen Panda, KeChang and NICKEL, is a Chinese advanced persistent threat group that routinely conducts cyber espionage campaigns. The group has been active since at least 2010 and has historically targeted government and diplomatic entities across North and South America, Africa and the Middle East.

In June 2021, ESET reported that this group had upgraded their tool kit to include a new backdoor called Turian.
Following the evolution of this capability, we recently identified new variants of this backdoor as well as new command and control infrastructure. Analysis of both the samples and connections to the malicious infrastructure suggests that several Iranian government networks have likely been compromised by Playful Taurus.
Click to expand...

Log in or Sign up

Ke3chang group targets diplomatic organizations in Europe

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

Ke3chang group targets diplomatic organizations in Europe

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches