Pierluigi Paganini July 24, 2019

ESET researchers reported that China-linked cyberespionage group APT15 has been using a previously undocumented backdoor for more than two years.

Security researchers at ESET reported that China-linked threat actor APT15 (aka Ke3chang, Mirage, Vixen Panda, Royal APT and Playful Dragon) has been using a previously undocumented backdoor for more than two years. APT15 has been active since at least 2010, it conducted cyber espionage campaigns against targets worldwide in several industries, including the defense, high tech, energy, government, aerospace, and manufacturing. The attackers demonstrated an increasing level of sophistication across the years, they used custom-malware and various exploits in their attacks.

Experts discovered that since December 2016, the APT15 group has been using the previously undocumented backdoor dubbed Okrum. The backdoor was used in attacks on targeted diplomatic missions in Slovakia, Belgium, Chile, Guatemala and Brazil throughout 2017.

“Second, we identified a previously undocumented malware family with strong links to the Ke3chang group – a backdoor we named Okrum. We first detected Okrum, through ESET telemetry, in December 2016; it targeted diplomatic missions in Slovakia, Belgium, Chile, Guatemala and Brazil throughout 2017.” reads the report published by ESET.

The hackers leverage the Okrum backdoor to deliver the Ketrican malware, which is derived from the BS2005 (operation Ke3chang malware) malicious code.

The Okrum backdoor supports several commands to implement several abilities, such as download/upload files, execute binaries, run shell commands, update itself, and adjust the time it sleeps after each backdoor command. 

Experts noticed that the backdoor supports only basic commands, likely because it is either a first-stage backdoor, or because its operators execute more complicated commands manually. 

Experts noticed that organizations infected with Okrum in 2017 were previously affected with other APT15 malware, a circumstance that suggests that the same APT group is behind these attacks. 

“In late 2016, we identified a previously unknown backdoor that we named Okrum. We discovered that the Okrum backdoor was used to deliver a Ketrican sample. This newly discovered Ketrican sample from 2017 has evolved from the Ke3chang group’s BS2005 malware family and is described in section 4.2.” continues the report. “Moreover, the entities where we detected Okrum in 2017 were previously affected with backdoors known to be attributed to the Ke3chang group – another hint that Okrum is the work of the same threat actor “

ESET has not been able to discover the initial attack vector and the dropper of the malware, anyway the experts have identified the following components used in the Okrum backdoor:

• An optional stage 0 loader;
• Stage 1 loader;
• An installer component;
• A PNG file with an embedded backdoor;

The backdoor is deployed in the form of a DLL, it communicates over the HTTP protocol using GET, POST and HEAD requests. 

The Okrum backdoor is not very complex, this implies that most of the malicious activity must be performed by manually typing shell commands, or by executing other available tools.

ESET also reported that the APT15 has been using the Ketrican backdoor since 2015, for downloading and uploading files, executing files and shell commands, and sleeping for a configurable time. 

Attackers also noticed that systems infected with the above two families were also targeted with the RoyalDNS malware that uses DNS to communicate with the C&C server. Once executed the command the backdoor returns output through DNS.

In 2018, the APT15 group used new Ketrican samples that implemented the ability to load DLLs and adopted the XOR cipher for encryption.

“Finally, the 2018 Ketrican backdoors share another feature common for Ke3chang group backdoors. They are known to modify specific registry keys and values in order to weaken some security settings of the compromised machine, which can help them further extend their malicious capabilities to provide those not available via the backdoor itself” continues the report.

Researchers also observed other two new Ketrican samples in 2019 that present many similatitied with instance observed in the past. The 2019 version also modifies the same rare combination of registry values as all earlier Ketrican samples.

“The Ke3chang APT group (a.k.a. APT15) has rightfully been on the radar of security researchers because of its decade-long operation, targeting high-value victims such as diplomatic entities, and other geopolitical aspects associated with them.” concludes ESET. “While ESET does not engage in attribution of these activities to a particular nation-state, we do attempt attribution of individual malware-driven cyberattacks to a particular APT group”

Pierluigi Paganini

(SecurityAffairs – APT15, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]