Ketrum Backdoor Description
The Ke3chang hacking group is an APT (Advanced Persistent Threat) that originates from China. It is likely that the Ke3chang APT is sponsored by the Chinese government and is used to carry out cyberattacks on their behalf. The Ke3chang hacking group is known to have carried out a number of high-profile operations that targeted foreign government bodies, business organizations, diplomatic missions and others. Two of the most popular hacking tools in the arsenal of the Ke3chang group are called Ketrican and Okrum. Recently, malware researchers have uncovered a new threat, that appears to be a hybrid between the Ketrican and Okrum tools. This new malware has been named the Ketrum Backdoor appropriately.
The Ketrum Backdoor is a rather minimalistic utility, just like the majority of the hacking tools created by the Ke3chang group. Some copies of the threat appear to have several of the features stripped – this allows the Ketrum Backdoor to be very stealthy and avoid detection. Malware researchers spotted the first copies of the Ketrum Backdoor back in January 2020. These early variants of the threat were connected to a server located in China, which is no longer operational.
The Ketrum Backdoor is able to:
- Upload files.
- Execute files.
- Download files from the Web.
- Utilize the Windows PowerShell service.
- Execute remote commands on the host.
- Execute a 'sleep mode,' which disables the threat for a set period.
Most of the hacking tools created by the Ke3chang APT can take screenshots of the infected system's desktop and active windows. However, the Ketrum Backdoor is not capable of doing it. It is likely that the Ke3chang APT is propagating the Ketrum Backdoor via phishing emails that trick users into launching an infected attachment.