• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

 | 

UK NCA arrested four people over M&S, Co-op cyberattacks

 | 

PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

 | 

Qantas data breach impacted 5.7 million individuals

 | 

DoNot APT is expanding scope targeting European foreign ministries

 | 

Nippon Steel Solutions suffered a data breach following a zero-day attack

 | 

Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

 | 

Hackers weaponize Shellter red teaming tool to spread infostealers

 | 

Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

 | 

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

 | 

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 

Critical Sudo bugs expose major Linux distros to local Root exploits

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • APT
  • Breaking News
  • Hacking
  • Malware
  • China-Linked APT15 group is using a previously undocumented backdoor

China-Linked APT15 group is using a previously undocumented backdoor

Pierluigi Paganini July 24, 2019

ESET researchers reported that China-linked cyberespionage group APT15 has been using a previously undocumented backdoor for more than two years.

Security researchers at ESET reported that China-linked threat actor APT15 (aka Ke3chang, Mirage, Vixen Panda, Royal APT and Playful Dragon) has been using a previously undocumented backdoor for more than two years. APT15 has been active since at least 2010, it conducted cyber espionage campaigns against targets worldwide in several industries, including the defense, high tech, energy, government, aerospace, and manufacturing. The attackers demonstrated an increasing level of sophistication across the years, they used custom-malware and various exploits in their attacks.

Experts discovered that since December 2016, the APT15 group has been using the previously undocumented backdoor dubbed Okrum. The backdoor was used in attacks on targeted diplomatic missions in Slovakia, Belgium, Chile, Guatemala and Brazil throughout 2017.

“Second, we identified a previously undocumented malware family with strong links to the Ke3chang group – a backdoor we named Okrum. We first detected Okrum, through ESET telemetry, in December 2016; it targeted diplomatic missions in Slovakia, Belgium, Chile, Guatemala and Brazil throughout 2017.” reads the report published by ESET.

The hackers leverage the Okrum backdoor to deliver the Ketrican malware, which is derived from the BS2005 (operation Ke3chang malware) malicious code.

The Okrum backdoor supports several commands to implement several abilities, such as download/upload files, execute binaries, run shell commands, update itself, and adjust the time it sleeps after each backdoor command. 

Experts noticed that the backdoor supports only basic commands, likely because it is either a first-stage backdoor, or because its operators execute more complicated commands manually. 

Experts noticed that organizations infected with Okrum in 2017 were previously affected with other APT15 malware, a circumstance that suggests that the same APT group is behind these attacks. 

“In late 2016, we identified a previously unknown backdoor that we named Okrum. We discovered that the Okrum backdoor was used to deliver a Ketrican sample. This newly discovered Ketrican sample from 2017 has evolved from the Ke3chang group’s BS2005 malware family and is described in section 4.2.” continues the report. “Moreover, the entities where we detected Okrum in 2017 were previously affected with backdoors known to be attributed to the Ke3chang group – another hint that Okrum is the work of the same threat actor “

ESET has not been able to discover the initial attack vector and the dropper of the malware, anyway the experts have identified the following components used in the Okrum backdoor:

  • An optional stage 0 loader;
  • Stage 1 loader;
  • An installer component;
  • A PNG file with an embedded backdoor;

The backdoor is deployed in the form of a DLL, it communicates over the HTTP protocol using GET, POST and HEAD requests. 

The Okrum backdoor is not very complex, this implies that most of the malicious activity must be performed by manually typing shell commands, or by executing other available tools.

ESET also reported that the APT15 has been using the Ketrican backdoor since 2015, for downloading and uploading files, executing files and shell commands, and sleeping for a configurable time. 

Attackers also noticed that systems infected with the above two families were also targeted with the RoyalDNS malware that uses DNS to communicate with the C&C server. Once executed the command the backdoor returns output through DNS.

In 2018, the APT15 group used new Ketrican samples that implemented the ability to load DLLs and adopted the XOR cipher for encryption.

“Finally, the 2018 Ketrican backdoors share another feature common for Ke3chang group backdoors. They are known to modify specific registry keys and values in order to weaken some security settings of the compromised machine, which can help them further extend their malicious capabilities to provide those not available via the backdoor itself” continues the report.

Researchers also observed other two new Ketrican samples in 2019 that present many similatitied with instance observed in the past. The 2019 version also modifies the same rare combination of registry values as all earlier Ketrican samples.

APT15

“The Ke3chang APT group (a.k.a. APT15) has rightfully been on the radar of security researchers because of its decade-long operation, targeting high-value victims such as diplomatic entities, and other geopolitical aspects associated with them.” concludes ESET. “While ESET does not engage in attribution of these activities to a particular nation-state, we do attempt attribution of individual malware-driven cyberattacks to a particular APT group”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – APT15, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

APT15 Hacking hacking news information security news Intelligence malware Okrum backdoor Security News

you might also like

Pierluigi Paganini July 11, 2025
U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog
Read more
Pierluigi Paganini July 10, 2025
UK NCA arrested four people over M&S, Co-op cyberattacks
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

    Hacking / July 11, 2025

    UK NCA arrested four people over M&S, Co-op cyberattacks

    Cyber Crime / July 10, 2025

    PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

    Hacking / July 10, 2025

    Qantas data breach impacted 5.7 million individuals

    Data Breach / July 10, 2025

    DoNot APT is expanding scope targeting European foreign ministries

    APT / July 10, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT