The Ke3chang APT (Advanced Persistent Threat) is an infamous hacking group from China that has made headlines all around the world. The cyber crooks behind the Ke3chang APT also are known as APT15. The Ke3chang APT has a substantial list of hacking tools, and one of them is the MirageFox RAT (Remote Access Trojan).
The MirageFox RAT is usually utilized as a second-stage payload. The threat allows the Ke3chang group to carry out a variety of threatening tasks on the compromised host. The MirageFox RAT can be useful as a long-term reconnaissance tool, particularly. This hacking tool is able to siphon targeted data and files from the infected host, as well as apply changes to the security settings of the compromised system. The latter is a very useful feature that would enable the attackers to inject additional malware into the targeted PC.
The MirageFox RAT copies appear to have a hardcoded IP address, which is used for a C&C (Command & Control) server. Also, since the MirageFox RAT is used as a secondary payload, the threat is modified based on the properties of the targeted host – it is evident that the attackers are deploying the threat manually. The MirageFox RAT does not attempt o gain persistence on the infected PC as the attackers are able to launch the threat manually whenever they wish to.
The Ke3chang hacking group is likely a state-sponsored APT, which means that it may be funded straight from Beijing. This APT is known to target foreign government entities, as well as large corporations that operate in key industries such as energy, military, aerospace, etc. They also are known for utilizing custom-built malware alongside legitimate software to carry out their operations.