One of the most popular hacking groups, which are believed to hail from China, is the Ke3chang APT (Advanced Persistent Threat). They also are known as APT15. Over time, malware researchers have been keeping a close eye on the activity of the Ke3chang hacking group and have made some interesting discoveries. It appears that APT15’s campaigns carry some significant similarities with those of other Chinese hacking groups, such as similar tactics, almost identical infrastructure and matching payloads. Among these Chinese-based hacking groups are Playful Dragon, GREF, RoyalAPT, Vixen Panda and Mirage. Usually, such close similarities mean one of two things (or both) – certain prominent hackers are members of more than one group, or/and the hacking groups share information and techniques, which are mutually beneficial.
Ke3chang’s Arsenal of Hacking Tools
The Ke3chang hacking group tends to attack industries or individuals of high importance. They are known to have executed attacks against the military and oil industries, as well as diplomats, politicians and various government bodies. The Ke3chang hacking group develops its own hacking tools and carries out its operations using them almost exclusively. Some of the tools in the vast arsenal of the Ke3chang group are TidePool, Ketrican, RoyalDNS, BS2005, Okrum, and others. However, cybersecurity experts have spotted a campaign in which the Ke3chang hacking group utilized a publicly available hacking tool called Mimikatz, which is used for collecting information from the compromised host.
How the Ke3chang Group Carries Out Their Attacks Usually
Back in 2010, the Ke3chang APT got on the map with its infamous campaign against high-ranking politicians in Europe. They also are known to have launched campaigns in South America targeting similar individuals. Usually, the Ke3chang hacking group makes sure to infiltrate a host and collect information about the system, such as software and hardware data. This helps the attackers to decide what would be the most efficient way to continue the operation. Other data also is exfiltrated, such as chat logs, passwords, documents, etc. Then, the attackers may opt to utilize their privileges on the compromised machine and attempt to infiltrate other potentially vulnerable systems connected to the same network.
The Okrum Malware
The gem in the Ke3chang Group’s crown is the Okrum malware. This threat is complex and impressive particularly. The hacking group also uses a rather intricate propagation method – steganography. This technique involves the injecting of the threat’s compromised script into a specifically tailored PNG file.
Usually, the Ke3chang hacking group makes sure to gain persistence in the infected system. This helps them keep the planted threat active for longer periods.