Okrum

The Ke3chang hacking group, also known as APT15 (Advanced Persistent Threat), is a group of cyber crooks that are likely operating from China. This hacking group is known to have targeted governments, as well as big industries like the military and oil. Once they launch a successful campaign, they seize activity for a while so that authorities would have a hard time tracking them. In 2017 they had, several operations, which were a success and then they went into hiding once again. However, recently, the Ke3chang has made a comeback. The APT15 group has updated several of their most prominent hacking tools – RoyalDNS, Okrum, and Ketrican.

Operations in Europe and South America

In this post, we will be discussing the Okrum backdoor. This threat is capable to self-preserve very successfully as it employs several different methods of detecting whether the host is a sandbox environment, which is used for debugging malware. Furthermore, the Okrum backdoor can encrypt its network traffic and thus prevent researchers from seeing what data is exfiltrated. It appears that the campaigns that employed the Okrum backdoor were mainly focused on big-fish targets located in Europe (Slovakia and Belgium) and South America (Brazil, Guatemala, and Chile). The propagation method is unknown. The domain of the Command & Control server masqueraded as one of a legitimate Slovakian map service to make it blend with regular network traffic. This serves one sole purpose - to make the induced traffic blend in with the regular one. This way, it would be much more challenging for security experts to identify the addresses the attackers used to control the backdoor. A similar approach was taken in the South American campaigns.

Employing Steganography

Another notable feature of the Okrum backdoor is that its creators have opted to hide a corrupted code in an image. A seemingly innocent ‘.png’ file would be delivered to the victims, and once they open it, the hidden code will trigger an encrypted file, which contains the payload of the Okrum backdoor. This cunning technique is called steganography. This method helps obfuscate the unsafe activity of this threat, and some lower-end anti-malware applications may fail to detect it.

Capabilities

The list of capabilities of the Okrum backdoor is not very long. This threat can:

• Execute files.
• Upload files.
• Execute remote commands.
• Gather data.
• Transfer data to attackers’ C&C (Command & Control) server.

However, the Okrum backdoor mainly serves as a gateway for additional malware, which the attackers may want to plant on the infiltrated machine. They seem to use it often to load keyloggers on the compromised hosts, among other hacking tools.

Even if the Ke3chang hacking group disappears for a while, do not be fooled, they have not halted their operations. These cybercriminals work to improve their arsenal of hacking tools tirelessly and introduce updates to their tools to further weaponize them periodically. Make sure you have a reputable ant-virus software suite, which will keep you safe from the cunning tools of the APT15 group, like the Okrum backdoor.

Okrum: Moving Forward

The threat actors behind Okrum don't seem to be slowing down their activities. In fact, it's quite the opposite. Security researchers have noted that the authors of the backdoor changed the implementation of two earlier-stage components related to its installation every few months, in a bid to avoid detection. Researchers have been able to detect a total of two versions of its installer and seven different versions of the loader component.

The functionality of Okrum, however, doesn't change. The backdoor functionality is enough for the threat actors, who use it to execute complicated commands manually. With a few tweaks here and there to avoid detection, APT15 continues to pose a severe threat to diplomatic missions around the globe, using a wide variety of malware to achieve its goals. Furthermore, many of the targets that have been affected by the Okrum backdoor have previously been targeted by the Ketrican or the RoyalDNS backdoors on one or more occasions, showing the threat actors' determination. This is certainly not the last we're going to hear about the Ke3chang hacking group and its exploits.