The Ke3chang hacking group is an APT (Advanced Persistent Threat) that is believed to operate from China. These cybercriminals also are known as APT15. Cybersecurity experts believe that this APT may be sponsored by the Chinese government, and it is likely used to carry out attacks that further the interests of Beijing on an international scale. The Ke3chang hacking group is known to rework and repurpose their hacking tools, and one of the examples of this is the RoyalCli malware. This threat appears to be based on a Trojan known as RoyalDNS, which has been utilized in several large-scale attacks targeting foreign government bodies.
Malware researchers first spotted the RoyalCli threat in 2017. This backdoor was identified on systems used by contractors that co-operate with government departments of the United Kingdom. The RoyalCli malware is capable of allowing the attackers to utilize the Windows Command Prompt, which would enable them to execute remote commands. This threat can also execute a list of pre-made commands, which allows the attackers to perform a variety of tasks such as:
- List the active processes.
- Chane the system's configurations.
- Exfiltrate information regarding the system's hardware and software.
The Ke3chang hacking group is known to utilize legitimate tools often, as this helps their harmful activity remain undetected for longer periods. This is known as 'living off the land' and is a method used by many high-tier cyber crooks. However, to employ genuine utilities in their hacking campaigns, the Ke3chang group first has to infiltrate the targeted system with a tool like the RoyalCli malware.
The Ke3chang group is very well-known in the world of cybercrime as they are highly-skilled conmen that have the ability to use both Trojanized copies of legitimate tools, as well as custom-built malware.