One of the most popular hacking groups, which are believed to hail from China, is the Ke3chang APT (Advanced Persistent Threat). They also are known as APT15. Over time, malware researchers have been keeping a close eye on the activity of the Ke3chang hacking group and have made some interesting discoveries. It appears that APT15’s campaigns carry some significant similarities with those of other Chinese hacking groups, such as similar tactics, almost identical infrastructure and matching payloads. Among these Chinese-based hacking groups are Playful Dragon, GREF, RoyalAPT, Vixen Panda and Mirage. Usually, such close similarities mean one of two things (or both) – certain prominent hackers are members of more than one group, or/and the hacking groups share information and techniques, which are mutually beneficial.
Ke3chang’s Arsenal of Hacking Tools
The Ke3chang hacking group tends to attack industries or individuals of high importance. They are known to have executed attacks against the military and oil industries, as well as diplomats, politicians and various government bodies. The Ke3chang hacking group develops its own hacking tools and carries out its operations using them almost exclusively. Some of the tools in the vast arsenal of the Ke3chang group are TidePool, Ketrican, RoyalDNS, BS2005, Okrum, and others. However, cybersecurity experts have spotted a campaign in which the Ke3chang hacking group utilized a publicly available hacking tool called Mimikatz, which is used for collecting information from the compromised host.
How the Ke3chang Group Carries Out Their Attacks Usually
Back in 2010, the Ke3chang APT got on the map with its infamous campaign against high-ranking politicians in Europe. They also are known to have launched campaigns in South America targeting similar individuals. Usually, the Ke3chang hacking group makes sure to infiltrate a host and collect information about the system, such as software and hardware data. This helps the attackers to decide what would be the most efficient way to continue the operation. Other data also is exfiltrated, such as chat logs, passwords, documents, etc. Then, the attackers may opt to utilize their privileges on the compromised machine and attempt to infiltrate other potentially vulnerable systems connected to the same network.
The Okrum Malware
The gem in the Ke3chang Group’s crown is the Okrum malware. This threat is complex and impressive particularly. The hacking group also uses a rather intricate propagation method – steganography. This technique involves the injecting of the threat’s compromised script into a specifically tailored PNG file.
Usually, the Ke3chang hacking group makes sure to gain persistence in the infected system. This helps them keep the planted threat active for longer periods.
Do You Suspect Your PC May Be Infected with Ke3chang & Other Threats? Scan Your PC with SpyHunterSpyHunter is a powerful malware remediation and protection tool designed to help provide PC users with in-depth system security analysis, detection and removal of a wide range of threats like Ke3chang as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover
Security Doesn't Let You Download SpyHunter or Access the Internet?Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
- Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
- Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
- Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
- IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.