Ketrican

The Ketrican backdoor Trojan is a hacking tool from the arsenal of the infamous Ke3chang APT (Advanced Persistent Threat). This hacking group, also known as APT15, likely originates from China and tends to go after high-profile targets in Europe and South America. Often, the targets are large industries or government institutions. The Ke3chang hacking group tends to lay low once they have launched a campaign, which has been a success. This is done to minimize the chances of detection by the authorities.

Introduced Updates

However, the APT15 group is making a comeback in 2019 by introducing several updates to some of their most popular hacking tools. One of the tools, which had its capabilities boosted this year, is the Ketrican backdoor Trojan. Its self-preservation mechanism, which would allow it to detect whether it is being run in a debugging environment, has been improved. Furthermore, this update made the Ketrican backdoor much more difficult to detect and also boosted some of its basic capabilities.

Used for Planting More Malware

The Ketrican Trojan tampers with the Windows Registry with the goal of disabling the security features of the system or at the least weakening them if they cannot be fully disabled. This backdoor Trojan’s capabilities are fairly limited, and it is likely that the Ke3chang hacking group is using it to plant additional hacking tools to the infiltrated machine mainly.

Executing Commands and Gaining Persistence

Instead of triggering the default Windows Command Line tool whenever it needs to execute a command, this backdoor Trojan would create a copy of it and place it in an alternative system folder. It will then use the dedicated command prompt executable for the initialization for all commands requested by the perpetrators. Next, the Ketrican backdoor will ensure its persistence by modifying the Windows Registry so that whenever the system is rebooted, it will launch this Trojan as well automatically. The traffic between the compromised PC and the C&C (Command & Control) server of the Ke3chang hacking group is encrypted with a private encryption key.

Ketrican is still being developed in 2019. Security researchers managed to isolate and dissect two new samples of the malware. One was more or less the same as an older version of the backdoor, dating back to 2018. The other, however, was a further evolution of the old version. While Ketrican largely retained its old functionality in terms of obfuscation and the way it communicates with its C&C servers, it started using just a single instance of the cmd.exe process that it uses in to change registry values through PowerShell commands. The registry changes ensure that the targeted system is further weakened and Ketrican. One example of such changes is how Ketrican turns off Internet Explorer's Enhanced Security Configuration, making the system more vulnerable to further attacks.

It is likely that the Ketrican backdoor Trojan will get more updates in the future as it seems to be among the hacking tools that the Ke3chang APT is most fond of. To keep your system safe from threats like the Ketrican backdoor download and install a legitimate anti-malware application and make sure to keep it up to date.