BS2005

In 2013 the Chinese based hacking group APT15 (Advanced Persistent Threat), also known as Ke3chang, launched a series of attacks against various European government bodies. One of the hacking tools employed in these campaigns was the BS2005 backdoor Trojan. Recently, cybersecurity experts came across the updated variant of the BS2005, which is now called TidePool. This new and improved version of the BS2005 has an improved list of capabilities among which is an update in its ability to spot software used in malware debugging.

Propagation via Phishing Emails

From 2011 to 2013, the Ke3chang hacking group relied on the BS2005 backdoor Trojan in the majority of their campaigns. Their preferred propagation method was via phishing emails, which would be tailored according to the targeted user's interests. Some were about the presence of the United States' military in the Middle East, particularly in Syria, while others were less political and contained information about the London Olympics. These phishing emails would normally contain an infected attachment, which would carry the payload of the BS2005 Trojan.

Terminates the Maxthon Browser Proccesses

The BS2005 Trojan has some interesting behavior. For example, the BS2005 Trojan is able to detect the presence of an anti-malware tool, which is popular in China and terminate its processes. Also, this backdoor Trojan would make sure to shut down all processes that are being used by the Maxthon Web browser. Terminating the process of the Maxthon Web browser did not seem to make sense, but researchers soon realized that the malware uses a peculiar technique to communicate with the control server - it invokes an instance of the IWebBrowser COM Interface. If this happens while the Maxthon Web browser is open, it will load a new tab and load the address of the attacker's system.

Outdated Self-Preservation Capabilities

The BS2005 backdoor has some self-preservation capabilities too like the ability to detect sandbox environments. However, the method it uses is not very efficient as it is fairly outdated, and the more high-end sandbox environments would likely be able to stay under the radar of the BS2005 Trojan.

Collects Data and can Serve as a First-Stage Payload

The BS2005 Trojan will waste no time once it has infiltrated a system and establish a connection with the C&C (Command & Control) server of the attackers. Then, the BS2005 Trojan will begin transferring information about the system to the attackers' server such as network configurations, username, installed applications, OS version, etc. The BS2005 is capable of archiving chosen files and siphoning them to the server of its operators. The fact that the BS2005 Trojan is capable of executing remote commands makes it much more threatening than it may seem at first glance as this means that the attackers can use it as a first-stage payload, which would allow them to plant additional malware on the compromised machine.

Since 2016 the Ke3chang hacking group has been active again, and malware researchers have noticed that they have introduced some big improvements to their arsenal. Furthermore, their reach has expanded, and they have been spotted to launch operations against targets in Europe, as well as the Middle East.